· admin letsencrypt note2self

Switching to acmetool for handling Let's Encrypt stuff

Let’s Encrypt is an awesome project, but the reference client is just way too bloated for my liking. Fortunately, a number of alternative implementations, ranging from Docker-integrated magic to minimal shell scripts, emerged in the last few months. Chris Hager provides a really nice breakdown or 10 different Let’s Encrypt clients on his website, which motivated me to check out alternatives. My criteria for a replacement for the reference client were:

acmetool fulfilled all the points above.


Download the binary from GitHub or go get hlandau/acme it and build it from source. I put it at /root/acmetool. Afterwards, make sure you run the quickstart command to ack the license and setup basic stuff.

# ./acmetool quickstart

This will setup the storage in /var/lib/acme. When you choose to let it create a cronjob, it will place a file in /etc/cron.d/acmetool, which runs the acmetool’s reconcile command every day at 18:00.

Multi-Domain Considerations

acmetool itself has no concept of per-domain webroots, so when asked about the directory for the acme-challenge, enter something vhost independent if you host multiple sites on the same server. I chose /var/lib/acme/.well-known/acme-challenge, because I don’t use /var/www on my machine.

Then, create a symlink to this directory from each vhost’s document root, so that http://<domain>/.well-known/acme-challenge/ is available for each one.

Importing Let’s Encrypt data

acmetool can import existing LE data, but I chose not to because I wanted to start fresh, as I made mistakes with the original structure of my certificates and domains.

Setup Domains

Simply run the acmetool’s want command with the list of domains, give the primary one first:

# ./acmetool want xrstf.de www.xrstf.de h.xrstf.de

This can take a while. To enable more verbose logging, add --xlog.severity=debug.

Afterwards, you will find your certificates and keys in /var/lib/acme/live/<domain>/[cert|chain|fullchain|privkey].


acmetool’s error can be pretty non-descriptive:

[ERROR] acme.storage: could not obtain authorization for xrstf.de: failed all combinations
[ERROR] acme.storage: failed to request certificate for target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations                                                                                                       ¦xrstf /var/lib/acme/live % ll
[CRITICAL] acmetool: fatal: reconcile: the following errors occurred:
error satisfying target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations

Well… that’s bad, I guess? If you encounter this, you most likely didn’t setup the symlinks to the .well-known/acme-challenge directory correctly.