• Stars
    star
    2,015
  • Rank 22,972 (Top 0.5 %)
  • Language
    Go
  • Created about 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔒 acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)

acmetool

[webchat: freenode #acmetool]
[download count] [version]
[ppa
debian/ubuntu] Build Status

acmetool is an easy-to-use command line tool for automatically acquiring certificates from ACME servers (such as Let's Encrypt). Designed to flexibly integrate into your webserver setup to enable automatic verification. Unlike the official Let's Encrypt client, this doesn't modify your web server configuration.

✅ Zero-downtime autorenewal
✅ Supports any webserver
✅ Fully automatable
✅ Single-file dependency-free binary
✅ Idempotent
✅ Fast setup

You can perform verifications using port 80 or 443 (if you don't yet have a server running on one of them); via webroot; by configuring your webserver to proxy requests for /.well-known/acme-challenge/ to a special port (402) which acmetool can listen on; or by configuring your webserver not to listen on port 80, and instead running acmetool's built in HTTPS redirector (and challenge responder) on port 80. This is useful if all you want to do with port 80 is redirect people to port 443.

You can run acmetool on a cron job to renew certificates automatically (acmetool --batch). The preferred certificate for a given hostname is always at /var/lib/acme/live/HOSTNAME/{cert,chain,fullchain,privkey}. You can configure acmetool to reload your webserver automatically when it renews a certificate.

acmetool is intended to be "magic-free". All of acmetool's state is stored in a simple, comprehensible directory of flat files. The schema for this directory is documented.

acmetool is intended to work like "make". The state directory expresses target domain names, and whenever acmetool is invoked, it ensures that valid certificates are available to meet those names. Certificates which will expire soon are renewed. acmetool is thus idempotent and minimises the use of state.

acmetool can optionally be used without running it as root. If you have existing certificates issued using the official client, acmetool can import those certificates, keys and account keys (acmetool import-le).

acmetool supports both RSA and ECDSA keys and certificates. acmetool's notification hooks system allows you to write arbitrary shell scripts to be executed when new certificates are obtained. By default, this is used to reload webservers automatically, but it can also be used to distribute certificates to other servers or for other purposes.

Getting Started

Binary releases: Binary releases are available.

Download the release appropriate for your platform and simply copy the acmetool binary to /usr/bin.

_cgo releases are preferred over non-_cgo releases where available, but non-_cgo releases may be more compatible with older OSes.

Ubuntu users: A binary release PPA, ppa:hlandau/rhea (package acmetool) is available.

$ sudo add-apt-repository ppa:hlandau/rhea
$ sudo apt-get update
$ sudo apt-get install acmetool

You can also download .deb files manually.

(Note: There is no difference between the .deb files for different Ubuntu release codenames; they are interchangeable and completely equivalent.)

Debian users: The Ubuntu binary release PPA also works with Debian:

# echo 'deb http://ppa.launchpad.net/hlandau/rhea/ubuntu xenial main' > /etc/apt/sources.list.d/rhea.list
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9862409EF124EC763B84972FF5AC9651EDB58DFA
# apt-get update
# apt-get install acmetool

You can also download .deb files manually.

(Note: There is no difference between the .deb files for different Ubuntu release codenames; they are interchangeable and completely equivalent.)

RPM-based distros: A copr RPM repository is available.

If you have dnf installed:

$ sudo dnf copr enable hlandau/acmetool
$ sudo dnf install acmetool

Otherwise use the .repo files on the repository page and use yum, or download RPMs and use rpm directly.

Void Linux users: acmetool is in the repositories:

$ sudo xbps-install acmetool

Arch Linux users: An AUR PKGBUILD for building from source is available.

$ wget https://aur.archlinux.org/cgit/aur.git/snapshot/acmetool-git.tar.gz
$ tar xvf acmetool-git.tar.gz
$ cd acmetool-git
$ makepkg -s
$ sudo pacman -U ./acmetool*.pkg.tar.xz

Alpine Linux users: An APKBUILD for building from source is available.

FreeBSD users: FreeBSD port is available.

Building from source: You will need Go installed to build from source.

If you are on Linux, you will need to make sure the development files for libcap are installed. This is probably a package for your distro called libcap-dev or libcap-devel or similar.

# This is necessary to work around a change in Git's default configuration
# which hasn't yet been accounted for in some places.
$ git config --global http.followRedirects true

$ git clone https://github.com/hlandau/acme
$ cd acme
$ make && sudo make install

  # (People familiar with Go with a GOPATH setup can alternatively use go get/go install:)
  $ git config --global http.followRedirects true
  $ go get github.com/hlandau/acmetool

After installation

# Run the quickstart wizard. Sets up account, cronjob, etc.
# (If you want to use ECDSA keys or set RSA key size, pass "--expert".)
$ sudo acmetool quickstart

# Configure your webserver to serve challenges if necessary.
# See https://hlandau.github.io/acmetool/userguide#web-server-configuration
$ ...

# Request the hostnames you want:
$ sudo acmetool want example.com www.example.com

# Now you have certificates:
$ ls -l /var/lib/acme/live/example.com/

The quickstart subcommand is a recommended wizard which guides you through the setup of ACME on your system.

The want subcommand states that you want a certificate for the given hostnames. (If you want separate certificates for each of the hostnames, run the want subcommand separately for each hostname.)

The default subcommand, reconcile, is like "make" and makes sure all desired hostnames are satisfied by valid certificates which aren't soon to expire. want calls reconcile automatically.

If you run acmetool reconcile on a cronjob to facilitate automatic renewal, pass --batch to ensure it doesn't attempt to interact with a terminal.

You can increase logging severity for debugging purposes by passing --xlog.severity=debug.

Validation Options

[screenshot]

Webroot: acmetool can place challenge files in a given directory, allowing your normal web server to serve them. The files must be served from the path you specify at /.well-known/acme-challenge/.

Information on configuring your web server.

Proxy: acmetool can respond to validation challenges by serving them on port 402. In order for this to be useful, you must configure your webserver to proxy requests under /.well-known/acme-challenge/ to http://127.0.0.1:402/.well-known/acme-challenge.

Information on configuring your web server.

Stateless: You configure your webserver to respond statelessly to challenges for a given account key without consulting acmetool. This requires nothing more than a one-time web server configuration change and no "moving parts". Information on configuring stateless challenges.

Redirector: acmetool redirector starts an HTTP server on port 80 which redirects all requests to HTTPS, as well as serving any necessary validation responses. The acmetool quickstart wizard can set it up for you if you use systemd. Otherwise, you'll need to configure your system to run acmetool redirector --service.uid=USERNAME --service.daemon=1 as a service, where USERNAME is the username you want the daemon to drop to.

Make sure your web server is not listening on port 80.

Listen: If you are for some reason not running anything on port 80 or 443, acmetool will use those ports. Either port being available is sufficient. This is only really useful for development purposes.

Hook: You can write custom shell scripts (or binary executables) which acmetool invokes to provision challenge files at the desired location. For example, you could rsync challenge files to a directory on a remote server. More information.

Renewal

acmetool will try to renew certificates automatically once they are 30 days from expiry, or 66% through their validity period, whichever is lower. Note that Let's Encrypt currently issues 90 day certificates.

acmetool will exit with an error message with nonzero exit status if it cannot renew a certificate, so it is suitable for use in a cronjob. Ensure your system is configured so that you get notifications of failing cronjobs.

If a cronjob fails, you should intervene manually to see what went wrong by running acmetool (possibly with --xlog.severity=debug for verbose logging).

Library

The client library which these utilities use can be used independently by any Go code. README and source code. Godoc.

Comparison with...

certbot: A heavyweight Python implementation which is a bit too “magic” for my tastes. Tries to mutate your webserver configuration automatically.

acmetool is a single-file binary which only depends on basic system libraries (on Linux, these are libc, libpthread, libcap, libattr). It doesn't do anything to your webserver; it just places certificates at a standard location and can also reload your webserver (whichever webserver it is) by executing hook shell scripts.

acmetool isn't based around individual transactions for obtaining certificates; it's about satisfying expressed requirements by any means necessary. Its comprehensible, magic-free state directory makes it as stateless and idempotent as possible.

lego: Like acmetool, xenolf/lego provides a library and client utility. The utility provides commands for creating certificates, but doesn't provide a compelling system for managing the lifetime of the short-lived certificates offered by Let's Encrypt. The user is expected to generate and install all certificates manually.

gethttpsforfree: diafygi/gethttpsforfree provides an HTML file which uses JavaScript to make requests to an ACME server and obtain certificates. It's a functional user interface, but like lego it provides no answer for the automation issue, and is thus impractical given the short lifetime of certificates issued by Let's Encrypt.

Comparison, list of client implementations

acmetoolcertbotlegogethttpsforfree
Automatic renewalYesNot yetNoNo
SAN supportYesYesYesYes
ECC supportYesNoNoNo
OCSP Must Staple supportYesNoNoNo
Revocation supportYesYesYesNo
State managementYes†Yes
Single-file binaryYesNoYesYes
Quickstart wizardYesYesNoNo
Modifies webserver configNoBy defaultNoNo
Non-root supportOptionalOptionalOptional
Supports ApacheYesYes
Supports nginxYesExperimental
Supports HAProxyYesNo
Supports HitchYesNo
Supports any web serverYesWebroot‡
Authorization via webrootYesYesManual
Authorization via port 80 redirectorYesNoNoNo
Authorization via proxyYesNoNoNo
Authorization via listener§YesYesYesNo
Authorization via DNSHook onlyNoYesNo
Authorization via custom hookYesNoNoNo
Import state from official clientYes
Windows (basic) supportNoNoYes
Windows integration supportNoNoNo

† acmetool has a different philosophy to state management and configuration to the Let's Encrypt client; see the beginning of this README.

‡ The webroot method does not appear to provide any means of reloading the webserver once the certificate has been changed, which means auto-renewal requires manual intervention.

§ Requires downtime.

This table is maintained in good faith; I believe the above comparison to be accurate. If notified of any inaccuracies, I will rectify the table and publish a notice of correction here:

  • This table previously stated that the official Let's Encrypt client doesn't support non-root operation. This was incorrect; it can be installed at user level and be configured to use user-writable directories.

Documentation & Support

For more documentation see:

If your question or issue isn't resolved by any of the above, file an issue.

IRC: #acmetool on Freenode (webchat).

Licence

© 2015—2019 Hugo Landau <[email protected]>    MIT License

Licenced under the licence with SHA256 hash fd80a26fbb3f644af1fa994134446702932968519797227e07a1368dea80f0bc, a copy of which can be found here.

More Repositories

1

service

⚡ Easily write daemonizable services in Go
Go
500
star
2

passlib

🔑 Idiotproof golang password validation library inspired by Python's passlib
Go
287
star
3

acme.t

ACME automatic certificate acquisition tool. Repository has moved to:
70
star
4

ortega

Ortega FDK
C
56
star
5

portmap

🚥 Port mapping library for Go supporting NAT-PMP and UPnP
Go
33
star
6

kvmtest

An experimental VMM for KVM written in pure Python
Python
21
star
7

tftp2httpd

📁 Serve files over TFTP from HTTP.
Makefile
20
star
8

captcha

👓 Go CAPTCHA
Go
10
star
9

tn5250

VT terminal-based 5250 emulator (5250->xterm adapter) and library
C
10
star
10

kconfigreport

Reports of how the Linux kernel is configured by different distributions.
Python
9
star
11

madns

🌐 Authoritative DNS server engine for Go
Go
9
star
12

acmeapi

ACMEv2 client library for Go. See branch "new" for current version (gopkg.in/hlandau/acmeapi.v2)
Go
9
star
13

memu

ARMv8-M/Cortex-M emulator/simulator
C++
9
star
14

ncdocs

Various Namecoin-related documents
GCC Machine Description
7
star
15

ncdns.t

Namecoin to DNS bridge daemon. This repository has moved to
7
star
16

svcutils

⚡ Utilities for writing services in Go
Go
7
star
17

configurable

💾 Function-free golang integration nexus for configuration
Go
6
star
18

ircproto

IRC protocol client library and bot
Go
6
star
19

compex

ℹ️ GCC/clang compiler plugins for the dumping of C++ type information in a machine-readable format
C++
6
star
20

parazmq

🚧 Pure Go implementation of ZMTP/3.0 (ZeroMQ's protocol) (*work in progress*)
Go
5
star
21

measurable

📈 Function-free golang integration nexus for metrics
Go
4
star
22

tags-active-demo

Demo program for use of memory tagging on POWER9 (Talos/Blackbird)
C
4
star
23

specwriter

Writing natural-language technical specifications in Guile Scheme
Scheme
4
star
24

eddsa

🔑 Structures for safe handling of Ed25519 keys
Go
4
star
25

ovmfvartool

Generate and dump OVMF_VARS.fd files to/from YAML
Python
4
star
26

easyconfig

💾 Easy bindings for hlandau/configurable
Go
4
star
27

degoutils

🚧 Go utilities
Go
4
star
28

buildinfo

Go utilities for tracking build information
Go
3
star
29

nomadircd

🚧 IRC daemon written in Go. Rough.
Go
3
star
30

dht

🚧 BitTorrent Mainline DHT implementation (work in progress)
Go
3
star
31

expect-ct-lite

OpenSSL example code for Expect-CT Lite
C
2
star
32

winnmc

Don't use this
Batchfile
2
star
33

irc

An IRC client library for Go
Go
2
star
34

namesync

🌐 Synchronize the namecoin name database with a PostgreSQL database
Go
2
star
35

rilts

Repository-Integrated Licence Tracking Specification (RILTS)
Go
2
star
36

mnt-reform-freebsd

Scripts for MNT Reform FreeBSD enablement work
Shell
2
star
37

openssl-ddd

C
2
star
38

easymetric

📈 Easy bindings for hlandau/measurable
Go
2
star
39

armparse

Python
2
star
40

tldinfo

JSON-formatted TLD information
Shell
2
star
41

altirc

2
star
42

condorcet

Condorcet voting for Go
Go
2
star
43

js.Context

Go-style context for Node.js
TypeScript
2
star
44

modtestx

Go
1
star
45

dds-tools

Some old AS/400 tool that was part of the tn5250 project
C
1
star
46

strawtool

Go
1
star
47

modtest2

Go
1
star
48

goutils

Miscellaneous Go utility packages.
Go
1
star
49

x5250

Old x5250 emulator patched to work on modern systems
C
1
star
50

asdbget

Some old AS/400 tool that was part of the tn5250 project
C
1
star
51

js.UUID

UUID library for JS.
TypeScript
1
star
52

gnome-5250

Some old AS/400 tool that was part of the tn5250 project
C
1
star
53

js.SQLAPI-Pg

PostgreSQL database driver for SQLAPI
TypeScript
1
star
54

dexlogconfig

Personal policy and configuration package for xlog.
Go
1
star
55

draft-landau-websec-key-pinning-really

📜 No, really
Makefile
1
star
56

dedoc

Write technical documents in Scheme
Scheme
1
star
57

xlog

📄 Logging library for Go
Go
1
star
58

coincheck

IRC Bitcoin ticker written in Go.
Go
1
star
59

ctmon

🔍
Go
1
star
60

ncbtcjsontypes

Namecoin RPC types for btcjson
Go
1
star
61

tftpsrv

📁 Go TFTP server library
Go
1
star
62

goproj

Utilities for managing Go projects
Shell
1
star
63

js.Net

Go-style networking library for Node.js
TypeScript
1
star
64

js.Math

Math libraries for JS.
TypeScript
1
star
65

nccald

Namecoin calendar notification daemon (ICS, CalDAV)
Go
1
star
66

hlandau.github.io

HTML
1
star
67

nctestsuite

Namecoin domain name test suite
Go
1
star
68

nczilla

🚧 Mozilla extension under development.
JavaScript
1
star
69

sx

S-expression parser for Go
Go
1
star
70

js.SQLAPI

Generic SQL driver abstraction layer for Node.js.
TypeScript
1
star