go-acme icon indicating copy to clipboard operation
go-acme copied to clipboard

Published 20 hours ago verified publisher icon riobard

Metadata

Automated Certificate Management Environment (ACME) client in Go using just standard library

go-acme

Automated Certificate Management Environment (ACME) client written in Go using just standard library. No external dependencies required.

Features

  • Authorizing domain names in parallel to greatly speed up the issuance of multi-domain SAN certificates.
  • Generate certificates from another host holding your account key. There is no need to keep the account key on the public facing server.
  • Single binary for easy deployment. Just drop and run.

Usage

The workflow of go-acme is very simple:

  1. Setup Nginx to reverse proxy ACME HTTP challenges.
  2. Launch go-acme to authorize domain names and generate certificates.
  3. Done.

Add the following section to server section of your nginx config. It will forward requests for ACME HTTP challenges to a server listening on port 81. You can use any port number, but it is recommended that you use a privileged port so that only root can bind to for security reasons.

location ^~ /.well-known/acme-challenge/ {
    proxy_pass http://127.0.0.1:81;
}

Then restart Nginx

nginx -s reload

Generate a 4096-bit RSA account key if you do not have one yet

acme -genrsa 4096 > account.key

Generate a 2048-bit RSA certificate key if you do not have one yet

acme -genrsa 2048 > cert.key

To run go-acme on the same host with the server, execute

acme -addr 127.0.0.1:81 -acckey account.key -crtkey cert.key -domains example.com,www.example.com > cert.pem

and wait for your domain certifcate and issuer certificate to be put into cert.pem file.

Alternatively, you can run go-acme on another host. This has the benefit that there is no need to put the private account key on the public-facing web server.

To do so, you need to use SSH to forward port 81 on the server to a free port (8181 in the example below) on the host running go-acme.

ssh -N -T -R 81:127.0.0.1:8181 server-hostname

and then run go-acme listening on the forwarded port (8181)

acme -addr 127.0.0.1:8181 -acckey account.key -crtkey cert.key -domains example.com,www.example.com > cert.pem

After that you need to copy cert.key and cert.pem files back to the web server.

TODO

  • Certificate revokation

Metadata

34
Stars
3
Forks
Watchers

Owner

verified publisher icon riobard

Metadata

Automated Certificate Management Environment (ACME) client in Go using just standard library

Back