Introduction
acme-dns-tiny is a python 3 script able to ask a Certificate Autority (CA) to provide automatically a X.509 certificate.
To be able to automate the certificate creation, acme-dns-tiny uses the ACME RFC 8555 standard. Indeed, to prove to the CA you are the owner of the domains included in the certificate request, acme-dns-tiny uses the DNS challenges defined by this RFC.
To resolve these challenges, acme-dns-tiny dynamically updates some DNS resources on your DNS service provider.
That's why, to be able to use acme-dns-tiny, you'll have to choose a CA which provides a service following the ACME RFC 8555, like the Let's Encrypt non-profit Certificate Authority.
The main goal of acme-dns-tiny is not to rewrite the official certbot ACME client but to give administrators a simple script easy to integrate in their environment without requiring root privileges and without access to the domain private key.
Requirements
To run acme-dns-tiny, you'll need a computer with Python 3, the dnspython module, the requests module and the OpenSSL command line available.
Then you have to give access to the rootless user running the script to:
- the ACME account private key used to authenticate with the CA
-
the Certificate Signing Request (CSR) which will be used
to create the certificate.
Note: the CSR is enough, the user does not need any access to the linked private domain key. - a config file containing path of these files and the DNS secret to manage DNS resources
Finally, that computer must be able to access a DNS server allowing dynamic resource updates through TSIG key authentication.
Open Source
acme-dns-tiny is an open source software, so you can read how it works, modify it and redistribute it as long you respect the MIT license.
The main git repository is hosted on gitlab.adorsaz.ch.
In case the main Gitlab instance is not reachable, you can find a mirror on Github.
Maintenance state
Origin
acme-dns-tiny is a fork of the acme-tiny project, but it has slightly diverged to:
- add dns-01 challenge support by automating the DNS resources update
- use a configuration INI file instead of arguments
- use the requests module to send HTTP requests to the ACME server
- remove http-01 challenge support
- support only python 3