Switching to acmetool for handling Let's Encrypt stuff
Let’s Encrypt is an awesome project, but the reference client is just way too bloated for my liking. Fortunately, a number of alternative implementations, ranging from Docker-integrated magic to minimal shell scripts, emerged in the last few months. Chris Hager provides a really nice breakdown or 10 different Let’s Encrypt clients on his website, which motivated me to check out alternatives. My criteria for a replacement for the reference client were:
- single-file implementation
- support for webroot authentication
- support for creating multi-domain certificates
acmetool fulfilled all the points above.
Download the binary from GitHub or
go get hlandau/acme it and build it from source. I put it
/root/acmetool. Afterwards, make sure you run the
quickstart command to ack the license
and setup basic stuff.
# ./acmetool quickstart
This will setup the storage in
/var/lib/acme. When you choose to let it create a cronjob, it
will place a file in
/etc/cron.d/acmetool, which runs the acmetool’s
reconcile command every
day at 18:00.
acmetool itself has no concept of per-domain webroots,
so when asked about the directory for the acme-challenge, enter something vhost independent if you
host multiple sites on the same server. I chose
I don’t use
/var/www on my machine.
Then, create a symlink to this directory from each vhost’s document root, so that
is available for each one.
Importing Let’s Encrypt data
acmetool can import existing LE data, but I chose not to because I wanted to start fresh, as I made mistakes with the original structure of my certificates and domains.
Simply run the acmetool’s
want command with the list of domains, give the primary one first:
# ./acmetool want xrstf.de www.xrstf.de h.xrstf.de
This can take a while. To enable more verbose logging, add
Afterwards, you will find your certificates and keys in
acmetool’s error can be pretty non-descriptive:
[ERROR] acme.storage: could not obtain authorization for xrstf.de: failed all combinations [ERROR] acme.storage: failed to request certificate for target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations ¦xrstf /var/lib/acme/live % ll [CRITICAL] acmetool: fatal: reconcile: the following errors occurred: error satisfying target Target(xrstf.de,www.xrstf.de,h.xrstf.de;;0): failed all combinations
Well… that’s bad, I guess? If you encounter this, you most likely didn’t setup the symlinks to the
.well-known/acme-challenge directory correctly.