KeyChest Blog

ACMEv2 Clients

Jan 4, 2020 1:48:55 AM / by Dan

As we have analyzed the existing Let's Encrypt clients for internal use, we realized that there is no public list that would also provide basic description with main features.

 

We used the list of clients from the Let's Encrypt website as a starting point. Added notes of features that we found of interest and re-classified some of the entries to better reflect the nature of each software.

We will occasionally review the list but if you find an incorrect info, would like to add a missing project, or change anything, do let us know at support@keychest.net.

Outliers - projects I like for being different

There are obvious, popular, clients that you can see mentioned everywhere. Here's a short list of projects - in no particular order - that tried to approach the integration differently. Maybe I also like them as they share something with our KeyChest.

  • tls_certificate_generation - a Docker project for renewing certificates for domain that are resolved by internal DNS. It launches a temporary AWS/DO VMs. ... the project looks dead (doesn't seem to support RFC8555 / ACMEv2).
  • haproxy-lua-acme - an HAproxy client. When you need to renew a certificate, you send a POST request to your HAproxy ... instead of to the LE API directly.
  • Greenlock - just because the author has built a whole set of tools written in JavaScript for various use cases - see below.
  • freshcerts - a Ruby project (also not supporting ACMEv2) that creates a centralized service allowing lightweight scripts on endpoints. I suspect that it fails with ACMEv2 as it doesn't allow changing the server address.
  • acme-client - the BSD version, well because it is part of the distro.
  • acmetool - the Go project - because it doesn't have any dependency and works as a server listening on port 402.

Clients

Bash

acme.sh - https://github.com/Neilpang/acme.sh - stars: 15,600 - a simple script, tests for a number of platforms. Standalone, nginx, and apache modes.

dehydrated - https://github.com/lukas2511/dehydrated - stars: 4,600 - a strong support of hooks for automation, allows use of custom CSRs

GetSSL - https://github.com/srvrco/getssl/tree/APIv2 - stars: 1,200 - includes ftp/sftp/ssh capability to copy challenges and certificates to remote servers. Configuration files for multiple servers are stored in subfolders.

ght-acme.sh - https://github.com/bruncsak/ght-acme.sh, stars: 9 - key generation requires a separate use of openssl, computes private key thumbprints to pass to nginx for validation.

C

acme-client-portable - https://github.com/graywolf/acme-client-portable - stars: 10 - Maintained port of openBDS's acme-client

Apache mod_md - https://httpd.apache.org/docs/trunk/mod/mod_md.html - manages domain properties for a) renewal of HTTPS certs via ACME and b) offer OCSP stapling.

Icing mod_md - https://github.com/icing/mod_md - stars: 255 - an alternate implementation of Apache mod_md with more frequent updates. It provides a) renewal of HTTPS certs via ACME and b) offer OCSP stapling.

uacme - https://github.com/ndilieto/uacme/ - stars: 59 - lightweight client with only dependencies libcurl and GnuTLS/OpenSSL/mbedTLS. It checks OCSP as part of the 'renewal' command and supports OCSP stapling certs. It also includes a transparent proxying tls-alpn-01 responder. User has to setup and clean up challenges via hooks.

C++

acme-lw - https://github.com/jmccl/acme-lw - stars: 7 - only supports HTTP challenges. Dependencies are cmake, openssl, and curl. Staging / Prod is decided during build.

esp32-acme-client - https://esp32-acme-client.sourceforge.io - (no downloads in 30 days) - work in progress - renewals not supported, tested as part of an author's app.

Clojure

certificaat - https://github.com/danielsz/certificaat - stars: 77 - optimized for "get a cert, setup cron, forget", config files are in the EDN format.

D

amce-lw-d - https://github.com/cschlote/acme-lw-d - stars: 3 - install via apt/yum/dub, account creation via an openssl command.

Docker

tls_certificate_generation - https://github.com/leandromoreira/tls_certificate_generation - stars: 26 - ACME client for domains that are either resolved with internal DNS or temporary, the use case in the manual uses a temporary AWS/DO machine launched purely for the purpose of issuing a certificate.

Go

acmetool - https://github.com/hlandau/acmetool - stars: 1,700 - binary releases, dependency-free, listens on port 402 to minimise web server configuration changes.

autocert - https://godoc.org/golang.org/x/crypto/acme/autocert - (part of golang crypto) - work in progress, library.

Lego - https://go-acme.github.io/lego/ - stars: 3,888 -full implementation of ACMEv2, use of custom CSRs.

ngxpkg - https://github.com/webpkg/ngxpkg - stars: 22 - a CLI client for nginx, configuration via env variables.

openshift-acme - https://github.com/tnozicka/openshift-acme - client for OpenShift, upgrade to rfc8555 in progress (Jan/2020), client for OpenShift and Cubernates clusters.

HAProxy

haproxy-lua-acme - https://github.com/haproxytech/haproxy-lua-acme - stars: 34 - ACMEv2 operations done via POST requests to the proxy, HAproxy has to be manually restarted.

Java

ACME4J - https://github.com/shred/acme4j - stars: 298 - JRE8 (101) or higher, maven, dependencies jose4j, Bouncy Castle (for generating keys and CSRs), slf4j

acme-client - https://github.com/porunov/acme_client - stars: 53 - a CLI agent for automation tools or scripts, CLI commands for each ACME API function.

Microsoft Azure

appservice-acmebothttps://github.com/shibayan/appservice-acmebot - stars: 124 - Win/Linux, Azure Web Apps, Functions, Zone Apex domain certs, wildcard, doesn't use KeyVault.

AzureWebAppSSLManager - https://github.com/n3wt0n/AzureWebAppSSLManager - stars: 15 - renewal of certs with Azure DNS challenges, certs are stored in Azure Blob Storage. Required Azure Service Principal and SendGrip API.

GetSSL - Azure Automation - https://www.powershellgallery.com/packages/GetSSL-LetsEncrypt/ - PowerShell script that works with MS Azure KeyVault. A documentation for MS Azure Vault is at https://github.com/ebekker/foobar/tree/master/docs/platyps. Installation with "Install-Script".

keyvault-acmebot - https://github.com/shibayan/keyvault-acmebot - stars: 100 - this is a "KeyVault" version of appservice-acmebot.

Node.js

acme2.js - https://git.cloudron.io/cloudron/box/blob/master/src/cert/acme2.js - requires 'openssl', one file, no documentation.

greenlock.js - https://git.coolaj86.com/coolaj86/greenlock.js - stars: 19 - pure JS implementation, several DNS system integrations.

greenlock-cli - https://git.coolaj86.com/coolaj86/greenlock-cli.js - requires a webserver listening on port 80, default config is "staging", standalone and webroot modes. 

Greenlock Express - https://git.coolaj86.com/coolaj86/greenlock-express.js - stars: 31 - several DNS system integrations, examples for Express, Node's http2, websockets, socket.io.

node-acme-client - https://github.com/publishlab/node-acme-client - stars: 69 - account private key is set as a JS constant.

node-acme-lambda -  https://github.com/ocelotconsulting/node-acme-lambda - stars: 93 - uses AWS Lambda, certs are stored in S3, environment configuration.

Perl

Crypt-LE - https://github.com/do-know/Crypt-LE - stars: 202 - portable, with Windows binaries available, dependency openssl-devel/libssl-dev, export to PFX/p12.

p5-Net-ACME2 - https://github.com/FGasper/p5-Net-ACME2 - stars: 3 - production-grade, own exception class, library with logic examples to build "application workflow".

PHP

acme - https://github.com/kelunik/acme - stars: 96 - PHPDoc available, installation with composer, uses the Amp framework.

acme2 - https://github.com/stonemax/acme2 - Another PHP client for acme protocol.

acmecert - https://github.com/skoerfgen/ACMECert - stars: 40 - renewals and revocations, cert parsing to extract expiry date, depends on OpenSSL and cURL.

acmephp - https://github.com/acmephp/acmephp - stars: 404 - CLI client, a single binary file, integration with Monolog for notifications, config formatters for nginx, nginx-proxy, haproxy. Configurable to copy certs to remote machines.

acme_proxy.php - https://github.com/jpawlowski/acme_proxy.php - stars: 1 - ACME challenge validation proxy using localhost DNS results. 

le-acme2-php - https://github.com/fbett/le-acme2-php - stars: 16 - based on the yourivw/LEClient, rewritten and enhanced.

leclient - https://github.com/yourivw/LEClient - stars: 127 - install with composer, a clear documentation in the README.md file.

lemanager - https://github.com/analogic/lemanager - stars: 91 - containerized app (docker container), has a GUI showing expiry of certs

Python

acertmgr - https://github.com/moepman/acertmgr - stars: 8 - you can define own account key, or it can be generated, rich configuration with 4 "scopes" (global, domain, cmd line, defaults.

acme-cert-tool - https://github.com/mk-fg/acme-cert-tool - stars: 2 - single script with 1 dependency (cryptography), python 3.7+.

acme-nginx - https://github.com/kshcherban/acme-nginx - stars: 201 - ACME client for nginx. Includes DNS challenges for AWS route53 and Digital Ocean DNS.

acme-nosudo - https://github.com/diafygi/acme-nosudo - stars: 1,200 - two scripts - sign_csr.py and revoke_crt.py to create/revoke a cert. 

acme-powerdns - https://github.com/adfinis-sygroup/acme-powerdns - does NOT support rfc8555, but an interesting integration with PowerDNS.

acme-tiny - https://github.com/diafygi/acme-tiny - stars: 4,300 - tiny Python client, depends on openssl, account key has to be created separately

acme-tiny-dns - https://acme-dns-tiny.adorsaz.ch - a fork of acme-tiny, only supports DNS challenges, ACME account and CSR have to be supplied.

acmebot - https://github.com/plinss/acmebot - stars: 73 - domains for certificates are defined in a configuration file, default is DNS authorization, creates pinning header (HPKP).

sewer - https://github.com/komuw/sewer - stars: 102 - library and CLI app, supports several DNS providers (modular to add new ones).

simp_le - https://github.com/zenhack/simp_le - stars: 154 - a fork from kuba/simp_le, which is unmaintained, cmd line parameter setting minimum validity (for renewal to kick in), a docker container.

txacme - https://github.com/mithrandi/txacme - stars: 38 - an implementation of the ACME protocol for Twisted (event-driven net engine). It is not a client and under heavy development.

Ruby

acme-client - https://github.com/unixcharles/acme-client - stars: 380 - a Ruby client as a library, with code snippets to integrate into an application.

acme-distributed - https://github.com/jannfis/acme-distributed - stars: 1 - the main difference - it places challenges on remote servers. Incomplete implementation, outdated docs.

acmesmith - https://github.com/sorah/acmesmith - stars: 103 - it stores certs and keys in cloud services (e.g., S3). 

chef-acme - https://github.com/schubergphilis/chef-acme - stars: 102 - Chef cookbook for Let's Encrypt, examples of chef configurations.

combine-acme - https://gitlab.com/6318613/combine-acme - stars: 1 - it not only generates certs but also uploads them got Google cloud (GCP) and Cloudflare.

freshcerts - https://github.com/myfreeweb/freshcerts - stars: 53 - it is a centralized "server" that allows endpoints used lightweight scripts to request certificates.

Rust

acme-client - https://github.com/onur/acme-client - stars: 178 - allows using own keys and CSRs.

ACMEd - https://github.com/breard-r/acmed - stars: 24 - written as a daemon, fully customizable challenge validation, retries, key pair reuse, customizable HTTPS rate limits.

le-opensrs - https://github.com/mhmd3bdo/le-opensrs - stars: 2 - a client for opensrs DNS, only this DNS challenge validation.

Windows/IIS

acmesharpcore - https://github.com/PKISharp/ACMESharpCore - stars: 130 - .NET library.

acmesharpcore-powershell - https://github.com/PKISharp/ACMESharpCore-PowerShell - stars: 27 - PowerShell library

autoacme - https://github.com/ridercz/AutoACME - stars: 71 - .NET, an alternative to letsencrypt-win-simple, Windows&IIS, not requiring admin rights, supports web farms

certes - https://github.com/fszlin/certes - stars: 246 - .NET client, CLI app and library

getcert2 - https://github.com/GeorgeSchiro/GetCert2 - stars: 6 - CLI and GUI app, it copies certs to LAN storage, updates and restarts SSO acress server farm, creates new IIS websites for new domains in certificates, it is a front-end for "acme-ps".

posh-acme - https://github.com/rmbolger/Posh-ACME - stars: 206 - PowerShell, single commands for new/renewing certs, DNS challenge with many providers, pem/pfx output, no admin privilege required

win-acme - https://github.com/PKISharp/win-acme/ - stars: 3,300 - binaries available, cmd line application with "menus".

wincertes - https://github.com/aloopkin/WinCertes/tree/master/WinCertes - stars: 34 - C# client, auto renewal with Scheduled Task, config in Registry, logs to stdout and files.

Applications

Caddy - https://caddyserver.com - a web server with in-built certificate renewal.

FreeSSL.tech auto - https://freessl.tech/ - Let's Encrypt app in PHP.

haproxy-acme-validation-plugin - https://github.com/janeczku/haproxy-acme-validation-plugin - stars: 268 - requires Certbot for renewals, the plugin manages challenge validation.

Hiawatha webserver - https://www.hiawatha-webserver.org/letsencrypt - PHP package, no separate documentation is part of the web browser source code, although as a separate package.

Key Manager Plus - https://www.manageengine.com/key-manager/ - not open source nor free, key management for enterprises, binary downloads for Linux and Win.

KeyChest AMP - https://gitlab.com/keychest/keychestamp/-/wikis/home - a proxy for ACMEv2 that creates JSON logs that can be be analyzed for malfunctions, downtimes, and rate-limits.

lets-proxy2 - https://github.com/rekby/lets-proxy2 - stars: 14 - zero config (includes certs with main domain and www), proxy for shared hosting, Russian manual.

lua-resty-auto-ssl - https://github.com/GUI/lua-resty-auto-ssl - stars: 1,500 - OpenResty plugin for Let's Encrypt registration and renewals.

Mako server - https://makoserver.net/articles/Lets-Encrypt - Lua web framework and non-blocking asynchronous sockets in a tiny ready to run application server package.

ponzu-cms - https://ponzu-cms.org/ - CMS system with in-built certificate renewal.

traefik - https://containo.us/traefik/ - reverse proxy with automatic certificate management.

Dan

Written by Dan