Switching to acmetool for handling Let's Encrypt stuff
Let’s Encrypt is an awesome project, but the reference client is just way too bloated for my liking. Fortunately, a number of alternative implementations, ranging from Docker-integrated magic to minimal shell scripts, emerged in the last few months. Chris Hager provides a really nice breakdown or 10 different Let’s Encrypt clients on his website, which motivated me to check out alternatives. My criteria for a replacement for the reference client were:
- single-file implementation
- support for webroot authentication
- support for creating multi-domain certificates
acmetool fulfilled all the points above.
Installation
Download the binary from GitHub or go get hlandau/acme it and build it from source. I put it
at /root/acmetool. Afterwards, make sure you run the quickstart command to ack the license
and setup basic stuff.
# ./acmetool quickstart
This will setup the storage in /var/lib/acme. When you choose to let it create a cronjob, it
will place a file in /etc/cron.d/acmetool, which runs the acmetool’s reconcile command every
day at 18:00.
Multi-Domain Considerations
acmetool itself has no concept of per-domain webroots,
so when asked about the directory for the acme-challenge, enter something vhost independent if you
host multiple sites on the same server. I chose /var/lib/acme/.well-known/acme-challenge, because
I don’t use /var/www on my machine.
Then, create a symlink to this directory from each vhost’s document root, so that http://<domain>/.well-known/acme-challenge/
is available for each one.
Importing Let’s Encrypt data
acmetool can import existing LE data, but I chose not to because I wanted to start fresh, as I made mistakes with the original structure of my certificates and domains.
Setup Domains
Simply run the acmetool’s want command with the list of domains, give the primary one first:
# ./acmetool want xrstf.de www.xrstf.de h.xrstf.de
This can take a while. To enable more verbose logging, add --xlog.severity=debug.
Afterwards, you will find your certificates and keys in /var/lib/acme/live/<domain>/[cert|chain|fullchain|privkey].
Errors
acmetool’s error can be pretty non-descriptive:
[ERROR] acme.storage: could not obtain authorization for xrstf.de: failed all combinations
[ERROR] acme.storage: failed to request certificate for target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations ¦xrstf /var/lib/acme/live % ll
[CRITICAL] acmetool: fatal: reconcile: the following errors occurred:
error satisfying target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations
Well… that’s bad, I guess? If you encounter this, you most likely didn’t setup the symlinks to the
.well-known/acme-challenge directory correctly.