Looking for a simple client to integrate into script workflow


I tried some ACME/LE clients but none of them fits my situation like I want to.

What I basically want is a lightweight client that:

  • runs on Linux with minimal dependencies
  • supports the DNS challenge (HTTP not needed)
  • is easily scriptable (no interactive mode at all)
  • can run as regular user (no root)

We use existing custom scripts that update our zone files (remotely), and generate the web server configuration (also remotely). So I need a client that does not touch or require anything on the file system. I want simple stuff on stdout and certs to files I specify. Most clients I tried want to do my work for me, but that’s not what I want.

Here’s a dialog I imagine:

Step 0 (only once):
# awesome-client signup --email me@domain.tld
-> awesome-client response: success, your key: 12345abcdef

no files are generated by awesome-client
my script saves the key in its own database, and re-uses it from now on

Step 1:
# awesome-client request --account 12345abcdef --dns --domain domain.tld
-> awesome-client response: success, use challenge abdef12345 for _acme-challenge.domain.tld

no files are touched or generated by awesome-client
my script updates the DNS record and reloads the name server

Step 2:
# awesome-client verify --account 12345abcdef --dns --domain domain.tld --cert=/where/to/write/the.cert --key=/where/to/write/the.key
-> awesome-client response: success, files written

only those two files are written by awesome-client
my script takes those files, updates web server configuration, etc

I know that certbot-auto does something similar in manual mode, but step 1 and 2 are interactive (“Press ENTER to continue”). I can’t use any hooks either since I can’t interrupt my script. Also, certbot wants to run as root or sudo which is a no-go.

Can anyone point me to a client that does support what I want?

acme.sh comes fairly close, but you would have to read and write the account key from the file system, at least temporarily.

I would personally look into a low-level ACME library for this task. For example, if you’re familiar with Ruby, there’s acme-client, which has a very simple API and doesn’t make any assumptions about certificate/key storage or anything like that. The usage example shows pretty much exactly what you describe, leaving things like the key storage and pushing the DNS updates to you. If you don’t want it to be Ruby, libraries in many other languages are available here.


Also if you’re interested in making certbot work, you can use --non-interactive, and specify the log directory and config directory (and one other I forget) as paths that your non-root user has access to.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.