Acme-hooked, an acme-tiny alternative and drop-in replacement

I wanted to share a small project I'm working on. It's called acme-hooked.

acme-hooked is meant as an enhanced and improved version of acme-tiny. acme-tiny is a very useful tool to issue or renew Let's Encrypt certificates. Unfortunately, it has not seen a single commit since 2019. For a security-related project, this is not ideal.

Hence acme-hooked. It continues the idea of having a tiny, auditable script to issue and renew TLS certificates. The central goal is to cleanly separate the concerns of (1) interacting with the ACME server, and (2) modifying your local system. The latter part is done by hook scripts called by acme-hooked via a well-defined interface. Hence, acme-hooked is very flexible by design. In
addition, it tries to resolve the most complained-about issues with acme-tiny. While doing that, it still provides a compatibility wrapper for acme-tiny, so that it can be used as a drop-in replacement.

The main changes include:

  • it works for both the ACME DNS-01 and HTTP-01 challenges (acme-tiny only supports HTTP-01),

  • several customizable hook scripts are provided that can be used to immediately issue certificates via ACME with the above challenge types,

  • a wrapper and compatibility hook script is provided, so that acme-hooked can be used as a drop-in replacement for acme-tiny, providing all the same features via the same command-line interface

  • more than one CSR can be processed at a time, without redoing the entire ACME
    registration process, saving time and requests to the ACME server,

  • it's still tiny: substantially less than 200 lines of actual code can be easily audited.

I'll hope you'll give it a whirl. Let me know what you think. Pull requests and bug reports are much appreciated. Several of the issues pointed out in the bug reports and pull requests of acme-tiny have already been incorporated.


Nice! Little typo on this line : acme-hooked/ at 53174dab8f0608d472e120e88579cfeaa00c9801 · mmorak/acme-hooked · GitHub

External Account Binding would probably be useful so you can take advantage of a couple more ACME providers.

1 Like

Thanks :slight_smile: EAB sounds interesting, yes. Do you happen to know a provider where I could test this?

1 Like

just setup a pebble. it's made to be test acme clients.
P.S you will need to add test root to your machine( or add code to use custom CA certificate to python to trust it's https certificate that api page uses.

1 Like

Yes you can run pebble in docker pointing to their EAB test config: test/config/pebble-config-external-account-bindings.json

You can also use ZeroSSL and acme services which both require EAB (and will probably also have other subtle ACME behaviors to cope with like differences in how long you have to wait for things to complete etc). Over time there will definitely be other large ACME services using EAB during account registration.

1 Like

Great, thank you both. I wasn't aware that pebble now had EAB functionality, last time I checked it didn't. But it seems that they had it for a while now (2019), but only updated their documentation much later (2020).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.