Introduction
acme-dns-tiny is a python 3 script able to ask a Certificate Autority (CA) to provide automatically a X.509 certificate.
To be able to automate the certificate creation, acme-dns-tiny uses the ACME RFC 8555 standard. Indeed, to prove to the CA you are the owner of the domains included in the certificate request, acme-dns-tiny uses the DNS challenges defined by this RFC.
To resolve these challenges, acme-dns-tiny dynamically updates some DNS resources on your DNS service provider.
That's why, to be able to use acme-dns-tiny, you'll have to choose a CA which provides a service following the ACME RFC 8555, like the Let's Encrypt non-profit Certificate Authority.
The main goal of acme-dns-tiny is not to rewrite the official certbot ACME client but to give administrators a simple script easy to integrate in their environment without requiring root privileges and without access to the domain private key.
Requirements
To run acme-dns-tiny, you'll need a computer with Python 3, the dnspython module, the requests module and the OpenSSL command line available.
Then you have to give access to the rootless user running the script to:
- the ACME account private key used to authenticate with the CA
-
the Certificate Signing Request (CSR) which will be used
to create the certificate.
Note: the CSR is enough, the user does not need any access to the linked private domain key. - a config file containing path of these files and the DNS secret to manage DNS resources
Finally, that computer must be able to access a DNS server allowing dynamic resource updates through TSIG key authentication.
Maintenance state
Origin
acme-dns-tiny is a fork of the acme-tiny project, but it has slightly diverged to:
- add dns-01 challenge support by automating the DNS resources update
- use a configuration INI file instead of arguments
- use the requests module to send HTTP requests to the ACME server
- remove http-01 challenge support
- support only python 3