Automatic Certificate Management Environment
(ACME) protocol client for acquiring free SSL certificates. is a gratis, open source community sponsored service that
implements the ACME protocol. This script will allow you to create a
signed SSL certificate, suitable to secure your server with HTTPS, using or any other certificate authority that supports the ACME
npm install -g acme-express
Usage: acme-express --account account.pem --csr csr.der --domain ${DOMAIN} --ca letsencrypt-beta
-h, --help output usage information
--account <account.pem> Account private key PEM file
--csr <csr.der> Certificate Signing Request file in DER encoding
--dom <domain> The domain for which we are requesting a certificate. e.g. ""
--ca <URL|"letsencrypt-beta"|"letsencrypt-staging"> Certificate authority URL running ACME protocol. Default "letsencrypt-staging"
--agreement <URL|"letsencrypt-1.0.1"> The certificate agreement URL. Default "letsencrypt-1.0.1"
--log <debug|info|warn|error> Set the log level (logs always use STDERR). Default "info"
--cross-signed Print's cross-signed x1 cert to STDOUT
How to Use
- Register a domain and point your DNS at your server.
- From that server, use this script to verify that you control the domain
and acquire a signed certficate.
Sign a Cert
openssl genrsa 4096 > domain.pem
openssl req -new -sha256 -key domain.pem -subj "/CN=${DOMAIN}" -outform DER > csr.der
openssl genrsa 4096 > account.pem
sudo acme-express --account account.pem --csr csr.der --dom "${DOMAIN}" --ca letsencrypt-beta > ${DOMAIN}.pem
openssl x509 -in ${DOMAIN}.pem -text
Why Sudo?
To verify ownership of the domain, we use the simple HTTP
challenge/response method. This script will briefly host a Node.js HTTP
server on port 80 (which requires admin access). The challenge token is
served at the well-defined challenge/response URL so that the certificate
authority can request it.
See the "challengeResponse" method in src/
Create an HTTPS Server
Here is an example Node.js express server using a certificate produced
by this script:
let fs = require('fs');
let http = require('http');
let https = require('https');
let express = require('express');
let app = express();
let domain = '';
let credentials = {
key : fs.readFileSync('domain.pem'),
cert : fs.readFileSync(domain + '.pem'),
ca : [fs.readFileSync('lets-encrypt-x1-cross-signed.pem')]
https.createServer(credentials, app).listen(443, function() {
console.log('Listening on HTTPS');
http.createServer(function (req, res) {
let code = (req.method === 'POST') ? 307 : 302;
res.writeHead(code, {'Location' : 'https://' + domain + req.url});
}).listen(80, function() {
console.log('Redirecting HTTP to HTTPS');