Welcome to the acme-dns-tiny project

Tiny ACME client to respond to DNS challenges

Introduction

acme-dns-tiny is a python 3 script able to ask a Certificate Autority (CA) to provide automatically a X.509 certificate.

To be able to automate the certificate creation, acme-dns-tiny uses the ACME RFC 8555 standard. Indeed, to prove to the CA you are the owner of the domains included in the certificate request, acme-dns-tiny uses the DNS challenges defined by this RFC.

To resolve these challenges, acme-dns-tiny dynamically updates some DNS resources on your DNS service provider.

That's why, to be able to use acme-dns-tiny, you'll have to choose a CA which provides a service following the ACME RFC 8555, like the Let's Encrypt non-profit Certificate Authority.

The main goal of acme-dns-tiny is not to rewrite the official certbot ACME client but to give administrators a simple script easy to integrate in their environment without requiring root privileges and without access to the domain private key.

Requirements

To run acme-dns-tiny, you'll need a computer with Python 3, the dnspython module, the requests module and the OpenSSL command line available.

Then you have to give access to the non-root user running the script to:

the ACME account private key used to authenticate with the CA
the Certificate Signing Request (CSR) which will be used to create the certificate.
Note: the CSR is enough, the user does not need any access to the linked private domain key.
a config file containing path of these files and the DNS secret to manage DNS resources

Finally, that computer must be able to access a DNS server allowing dynamic resource updates through TSIG key authentication.

Latest News

2020-06-14: v2.2 has been released with:
- more robust search of the domain name in the Subject field of the CSR (thanks MatthaeusHarris)
- fixed a bug which required Contact to be filled (thanks adrium)
- fixed forgotten format for log message (thanks nurelin)
- support of CSR with SAN extension marked as critical (#9)
- code style updated to follow the python recommendations
- simplified regexp used to read the account key (#10)
- new Gitlab Continuous Integration configuration to build automatically docker images to run tests with always upto-date Debian Docker image (including Jessie, Stretch and Buster releases).
2018-12-09: v2.1 has been released with support of ACME draft 16.
2018-05-03: v2.0 has been released with Let's Encrypt v2 API endpoint support.

Please see our Gitlab page to find the latest release.

Origin

acme-dns-tiny is a fork of the acme-tiny project, but it has slightly diverged to:

remove http-01 challenge support
add dns-01 challenge support by automating the DNS resources update
support only on python 3
use a configuration INI file instead of arguments
use the requests module to send HTTP requests to the ACME server

Code and documentation

Code and documentation are available on Gitlab.
This project is under the MIT license as the original acme-tiny.

A mirror of the code is also available on Github.

You'll find the acme-dns-tiny news on the XMPP community.
To read news from this pubsub link, you can use one instance of the Movim services as the adorsaz.ch Movim pod.
If you want to follow RSS/Atom feed, you can use Movim page too.