I've never really heard of it until I learned about it here.
Should I have trust issues with it?
1 Like
Even if I, an anonymous person on the internet, would tell you it's fully trustworthy, would you believe that?
The only way to know for sure, is to look at the code yourselve.
1 Like
I would believe you. You're on the internet so you must be an honest person.
3 Likes
He got you there, Osiris.
1 Like
Osiris and I are perhaps the absolute best (or worst, depending upon your POV) people to inquire about acme.sh. On the upside, it's an extremely well-known ACME client with years of development and testing. Since it's written entirely in bash script, it has very few dependencies when compared with many ACME clients and is entirely human-reviewable (since it's not compiled). On the debatable side, it was sold-out to apilayer that runs ZeroSSL (a for-profit CA) and will soon default to acquiring "free" ZeroSSL certificates (as opposed to free Let's Encrypt certificates). You should be able to override this default (though for how long I am unsure).
Personally, I'm fond of CertSage, probably because I wrote every single character of it. If you're looking for super-simple, basically zero dependencies, and operated from a webpage interface right off your own server from a single PHP file, CertSage is for you.
1 Like
Thanks for the detailed answer - other internet person whom I trust completely 
3 Likes
I would expect "how long" to be a very long time, largely because of the ease of forking the project were it to become otherwise. But so long as the ZeroSSL certs via ACME are free (as they, at least currently, are), I'm not sure how important the default CA is.
But to the OP, this random internet person has been using acme.sh for quite a while, it's worked well for him, and he isn't particularly concerned about it.
4 Likes
I trust in @danb35's knowledge of acme.sh as I know him to be a longtime user and fervently honest about it.
1 Like
In another recent thread, @jsha, who actually works for the Let's Encrypt CA, expressed a positive attitude toward acme.sh and its developer, Neil. Some years ago, I, who was actually an official developer on Certbot (the most official of the unofficial ACME clients) at the time, also made a donation to Neil to thank him for his work on acme.sh—and I'm still grateful to him for that work, which I still think is really impressive.
However, Jacob, I, and Neil are also all three of us just random Internet people. 
3 Likes
I should add that I'm also grateful to @griffin for his work on his own ACME clients, including his new one that imminently threatens to overturn @jsha's official verdict that Let's Encrypt doesn't work well with GoDaddy hosting.
This community is great because all of us random Internet people can appreciate each other's work and contributions even when exploring different directions.
4 Likes
If you have trust issues with acme.sh, then don't trust it.
Not as root anyway.
Just about anything that it would need to do as root could probably be done some other way.
Like reloading your webserver after a new cert has been obtained.
There are plenty of ways around this.
The simplest is to gracefully reload your web server nightly - it will always have the latest cert (the next day).
Or have acme.sh create a certain file in a certain public folder.
Then have a root privileged job check for the existence of that file as often as you like.
When the file exists, then reload your web server and delete the file.
So you see, you don't really need to trust it as a root user to get what you need from it
But you do need to trust everything you read on the Internet - it must all be true - LOL.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.