I wanted to share a small project I'm working on. It's called acme-hooked.
acme-hooked is meant as an enhanced and improved version of acme-tiny. acme-tiny is a very useful tool to issue or renew Let's Encrypt certificates. Unfortunately, it has not seen a single commit since 2019. For a security-related project, this is not ideal.
Hence acme-hooked. It continues the idea of having a tiny, auditable script to issue and renew TLS certificates. The central goal is to cleanly separate the concerns of (1) interacting with the ACME server, and (2) modifying your local system. The latter part is done by hook scripts called by acme-hooked via a well-defined interface. Hence, acme-hooked is very flexible by design. In
addition, it tries to resolve the most complained-about issues with acme-tiny. While doing that, it still provides a compatibility wrapper for acme-tiny, so that it can be used as a drop-in replacement.
The main changes include:
-
it works for both the ACME DNS-01 and HTTP-01 challenges (acme-tiny only supports HTTP-01),
-
several customizable hook scripts are provided that can be used to immediately issue certificates via ACME with the above challenge types,
-
a wrapper and compatibility hook script is provided, so that acme-hooked can be used as a drop-in replacement for acme-tiny, providing all the same features via the same command-line interface
-
more than one CSR can be processed at a time, without redoing the entire ACME
registration process, saving time and requests to the ACME server, -
it's still tiny: substantially less than 200 lines of actual code can be easily audited.
I'll hope you'll give it a whirl. Let me know what you think. Pull requests and bug reports are much appreciated. Several of the issues pointed out in the bug reports and pull requests of acme-tiny have already been incorporated.
EAB sounds interesting, yes. Do you happen to know a provider where I could test this?