Skip to content

styris-ame/acme-cert-watcher

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitea/workflows
.gitea/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ACME Certificate Watcher

License: MIT

A lightweight and failsafe tool for maintaining a valid TLS certificate-key file pair.

acme-cert-watcher is used in production at Ameliorated LLC to maintain TLS capabilities for our webservices. acme-cert-watcher relies primarily on instant-acme and reqwest for its functionality.

Usage

acme-cert-watcher.exe [OPTIONS] --provider <PROVIDER> --email <EMAIL> --key-path <KEY_PATH> --cert-path <CERT_PATH> --serve-dir <SERVE_DIR>

Options:
  -p, --provider <PROVIDER>
          ACME provider of choice [possible values: zerossl, buypass, letsencrypt]
  -f, --fallback <FALLBACK>
          Optional fallback provider(s) incase the provider specified by --provider repeatedly fails and the cert is within 7 days of expiration [possible values: zerossl, buypass, letsencrypt]
  -d, --domain <DOMAIN>
          Domain(s) for ACME certificates
  -e, --email <EMAIL>
          Contact email for ACME
  -k, --key-path <KEY_PATH>
          Path to destination private key file
  -c, --cert-path <CERT_PATH>
          Path to destination certificate file
  -s, --serve-dir <SERVE_DIR>
          Path to public web serve directory. Must be actively hosted by a webserver for HTTP-01 validation
      --api-key <API_KEY>
          API key for ZeroSSL. Alternative to specifying EAB credentials
      --eab-kid <EAB_KID>
          EAB KID for ZeroSSL. Must be paired with --eab-hmac-key
      --eab-hmac-key <EAB_HMAC_KEY>
          EAB HMAC key for ZeroSSL. Must be paired with --eab-kid
      --cache-dir <CACHE_DIR>
          Cache directory for ACME account credentials, and ZeroSSL EAB credentials (if applicable) [default: ./acme_cache]
  -r, --reload-command <RELOAD_COMMAND>
          Optional command to be run after a successful cert update
  -h, --help
          Print help
  -V, --version
          Print version

Examples

./acme-cert-watcher -p zerossl --api-key ZEROSSL-API-KEY -f buypass -e [email protected] -d example.styris.net -k server.key -c server.crt -s ./dist

To run a command after renewal, such as reloading nginx:

sudo ./acme-cert-watcher -p zerossl --api-key ZEROSSL-API-KEY -f buypass -e [email protected] -d example.styris.net -k server.key -c server.crt -s ./dist -r "systemctl reload nginx"

Behavior

acme-cert-watcher expects files in the directory specified by --serve-dir (-s) to be publicly available at --domain for HTTP-01 certificate validation, and will not be able to renew certificates otherwise.

Renewals happen once the certificate has 30 days or less left before expiration.

In the event that a failure occurs, acme-cert-watcher will retry with an exponentially increasing delay (up to an hour) until it is able to successfully renew the certificate. If a fallback(s) is provided, it will only be used under the following conditions:

  • The existing certificate (if present) only has 7 days or less before expiration
  • The retry delay for the main provider has reached an hour with no success

About

Certificate file watcher and renewer supporting ZeroSSL, Buypass, and LetsEncrypt

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages