Automatic Certificate Management Environment (ACME) for Node.js with minimal dependecies
Lightning fast, lightweight Bot for Automatic Certificate Management Environment (ACME) written in JavaScript for Node.js with minimal dependencies
Based on node-acme-client.
http-01, dns-01, tls-alpn-01http2 session when communicating to ACME server (faster comms + lower load on public infrastructure)Systemd timer with related service for auto-update task scheduling (used by default)Cron for auto-update task scheduling (used as fallback if systemd is not present)root access is not required, but recommendedECDSA (default) and RSA types of certificate and account keysnode:crypto API to access internal openssl functionality| Node.js | openssl | json5 (optional) |
|---|---|---|
| v16+ | v1.1.1+ | v2+ |
> npm install -g acme-bot --no-optional
- OR -
> yarn add global acme-bot --ignore-optional
#!/bin/sh
wget https://git.serenity-island.net/sie-foss/acme-bot/archive/master.tar.gz -O acme-bot.tar.gz
tar -xaf acme-bot.tar.gz
chmod u+x acme-bot/acme-bot.js
ln -rs acme-bot/acme-bot.js /usr/local/bin/acme-bot # (optional)
http-01 challenge, then certain provisions must be performed (details)> acme-bot configure
{
bot: {
issuer: "letsencrypt",
certs_root_dir: "/etc/letsencrypt",
},
commands: {
stop_on_error: false,
// Stop reverse proxy (if there is one) while requesting and receiving certs
pre: [ "systemctl stop nginx" ],
post: [ "systemctl start nginx" ]
},
domains: {
'example.org': {
sub_domains: "www",
challenge_cfg: [ { type: 'http-01' } ]
}
},
}
> acme-bot --standalone test
acme-bot to run automatically on schedule from now on> acme-bot --standalone --issue enable
before actually removing the package, it is recommended to clear the auto-renewal task schedule manually using disable action, since npm doesn't support uninstall scripts:
> acme-bot disable
> npm uninstall -g acme-bot
When acme-bot is expected to perform certain action (e.g. configure, enable, disable, status, etc), order of arguments matters, since 'action' must be the last argument.
# Order of the arguments matters
> acme-bot --debug --config-file /home/user/.local/acme-bot.json configure
If directory was not specified for the http-01 challenge
--standalone option must be specified and existing http server or reverse proxy would have to be stopped for the duration of running acme-bottcp port or unix socket/etc/nginx/sites-available/defaultupstream acme_bot { server unix:/run/acme-bot-http.sock; server 127.0.0.1:8080 backup; }
server {
server_name example.org www.example.org;
listen 80;
listen [::]:80;
location /.well-known/acme-challenge/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://acme_bot;
}
}
/etc/acme-bot/config.json5{
commands: { post: [ "systemctl reload nginx" ] },
bot: {
issuer: "letsencrypt",
certs_root_dir: "/etc/letsencrypt",
// NOTE: if both 'port' and 'path' are specified, 'path' will be used
acme_challenge_server: { http_01: { port: 8080, path: "/run/acme-bot-http.sock" } },
},
domains: {
'example.org': {
sub_domains: "www",
challenge_cfg: [ { type: 'http-01' } ]
}
},
}
> acme-bot --standalone test
To force issuing, downloading and overwriting existing certificate(s), use --force option.
# normal mode: renew only if necessary
> acme-bot
- OR -
# forced mode: renew regardless of validity of the current cert(s)
> acme-bot --force
Default location of the configuration file is /etc/acme-bot/config.json5, however, it is possible to point acme-bot to use other config file with --config-file option.
On the first run acme-bot needs to be configured. Following command will open configuration file in a text editor.
If configuration file not found, it will be created from template.
> acme-bot configure
- OR -
> acme-bot --config-file /path/to/custom_config.json configure
To ensure the bot is ready to receive and store actual trusted certificates after (re-)configuring the bot, it is highly recommended to run a test to reduce the chance of running up against rate limits of the certificate issuer.
During the test, acme-bot will use issuer's staging environment (if available), and a separate directory to store account data, runtime data, and received certificates.
> acme-bot test
If test completes without issues, you can allow acme-bot to run automatically .
Following command will attempt to schedule execution of acme-bot once every 2 weeks at randomized time for automatic certificate renewal (when necessary):
Depending on the target system and environment, this command will either create a pair of service and timer for systemd OR a cron job. If neither found, it will just print error.
> acme-bot enable
To request certificate(s) immediately after successfully scheduling automatic renewal task execution add --issue option.
> acme-bot --issue enable
> acme-bot status
Expected output (if systemd is used)
● acme-bot.timer - Automatic Certificate Management Environment (ACME) - Timer
Loaded: loaded (/etc/systemd/system/acme-bot.timer; enabled; preset: enabled)
Active: active (waiting) since XXX XXXX-XX-XX XX:XX:XX XXX;
Trigger: XXX XXXX-XX-XX XX:XX:XX XXX; 1 week 5 days left
Triggers: ● acme-bot.service
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon XXXX-XX-XX XX:XX:XX EDT 1 week 5 days left - - acme-bot.timer acme-bot.service
1 timers listed.
Pass --all to see loaded but inactive timers, too.
acme-bot comes with several built-in issuers' directory URLs.
[source]
{
letsencrypt: "https://acme-v02.api.letsencrypt.org/directory",
letsencrypt_test: "https://acme-staging-v02.api.letsencrypt.org/directory",
buypass: "https://api.buypass.com/acme/directory",
buypass_test: "https://api.test4.buypass.no/acme/directory",
zerossl: "https://acme.zerossl.com/v2/DV90",
sslcom: "https://acme.ssl.com/sslcom-dv-ecc"
}
When ordering certificate for a particular domain, acme-bot uses priorities when selecting challenges.
E.g. if supported challenges received from issuer are http-01, dns-01, tls-alpn-01 and configured challenges for particular domain are: [ 'dns-01':{ ... }, 'http-01':{...} ], then dns-01 will be selected.
E.g. if supported challenge received from issuer is only http-01 then http-01 will be selected as a fallback option.
Please note that wildcard certificates can only be validated through dns-01 challenge, which is not fully implemented on the acme-bot at the moment.
More information about challenge types can be found here.
To minimize load on public infrastructure, acme-bot will attempt to validate that it is possible to satisfy challenges locally, before telling ACME server to finalize validation the challenge.
In some cases (firewalls, etc) this internal challenge verification might not be possible to complete.
In this case, it is possible to disable this mechanism by setting skip_local_challenge_check option to true inside bot config. E.g.:
{
// ....
bot: {
issuer: "letsencrypt",
certs_root_dir: "/etc/letsencrypt",
skip_local_challenge_check: true,
},
// ....
}
(currently, under construction)
> acme-bot help
To suppress most of the details use --silent option (only warnings and errors will be logged)
> acme-bot --silent
To see more details of what acme-bot is doing, use --debug option
> acme-bot --debug
To see even more details, set environment variable NODE_DEBUG=* along with the --debug option
> NODE_DEBUG=* acme-bot --debug
jsrsasign to system-wide ssl libraries.
openssl supported v1.1.1+ (incl. v3.0+)mbedTLSGnuTLSLibreSSLwolfSSLstandalone modedns-01 challengetls-alpn-01 challengedns-01 challenge (when no add and del scripts specified) (defeats 'A' in ACME, but okay for tests)tls-alpn-01 challengeacme-bot in certbot style, i.e. using only command line argumentsFAQs
Automatic Certificate Management Environment (ACME) for Node.js with minimal dependecies
We found that acme-bot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.