I want to offer a big THANK YOU to @_az, @mnordhoff, @jsha, @JuergenAuer, @rmbolger and everyone else who answered some of the more esoteric questions about the ACMEv2 process over the past few months.
My client, PeterSSLers, has been handling acme-v2 on our production servers since April. While there are a few things that still need to be fixed or streamlined (mostly renewal logic)… the ACME protocol bits are pretty much done.
The client is open source and available on Github. IT IS NOT FOR NOVICE USERS AND OVERKILL FOR 99.9% OF USE-CASES.
PeterSSLers is a combination ACME client, Certificate Manager, and OpenResty(Nginx) Plugin for dynamic SSL loading – and can be entirely driven by an API.
It was designed for the needs of organizations who handle whitelabel services and/or webhosting, and have:
- a scalable number of domains
- a scalable number of nodes/servers
HTTP-01 authorization is handled by routing traffic across a network into a single management node. Certificates are saved into Postgres or Sqlite, then dynamically loaded into OpenResty servers via a multi-level failover cache: Nginx worker, Nginx master, Redis, JSON API via Python.
It can also function as a quick troubleshooting toolkit for nodes that are acting weird - the installation requirements were minimized by using commandline OpenSSL functions if Python crypto libraries are not installed on a machine.