Follow up - does acme do too much?

In a previous post (last August) I asked if acme clients did or did not
tend to do too much. The post generated very little interest.

My own situation is that I have found it necessary to create a "post post-installation" hook. that is executed by crontab every five minutes in order to distribute the LE certs from one central machine to several other machines on my internal networks which also need the certs for various reasons, and to execute the scripts that clients on those other machines may demand.

My simple efforts are in if anyone wants them.

1 Like

you may want to look at --deploy-hook , which only runs if there is a new certificate


ACME clients are what is in the name: they acquire certificates via the ACME protocol. They are not certificate management systems. However, many ACME clients have features of the certificate management systems, trying to make their use more practical (all-in-one):

  • storing credentials (ACME account, Dynamic DNS account)
  • storing the certificates (with keys)
  • checking when to renew a certificate
  • updating web server configuration to allow validating the domain name via HTTP-01
  • updating web server configuration to refer to the stored certificates
  • notifying services to start using the renewed certificate
  • implement scheduler function to regularly execute some of the above functions

The list is very likely not exhaustive. But these functions has not much to do with the client side ACME protocol implementation.

The ACME client ( I am maintaining is a pure ACME client, stateless. I have another script that plays the role of the certificate management, and calls my ACME client only to acquire a certificate.

My certificate management system has simmilar requirement than you are having; for example some certificates are distributed to multiple hosts, even to different protocols: HTTPS (apache, nginx, BigIP F5), IMAPS, STARTTLS in SMTP.


I did, of course. My script warns of impending doom as well if renewal fails. It's not a complete solution. It checks serial numbers of the certificates, notices any changes and invokes shell-script "hooks" if needed. The shell scripts can contain almost anything, so it is rather versatile. It is also a very modest system, with little overhead.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.