| A pure Unix shell script implementing ACME client protocol | TLS library

 by   acmesh-official Shell Version: 3.0.6 License: GPL-3.0

kandi X-RAY | Summary

kandi X-RAY | Summary is a Shell library typically used in Security, TLS applications. has no bugs, it has no vulnerabilities, it has a Strong Copyleft License and it has medium support. You can download it from GitHub.

It's probably the easiest & smartest shell script to automatically issue & renew the free certificates. For Docker Fans: :two_hearts: Docker.

            kandi-support Support

     has a medium active ecosystem.
              It has 32036 star(s) with 4360 fork(s). There are 490 watchers for this library.
              There were 1 major release(s) in the last 12 months.
              There are 858 open issues and 1864 have been closed. On average issues are closed in 172 days. There are 197 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of is 3.0.6

            kandi-Quality Quality

     has 0 bugs and 0 code smells.

            kandi-Security Security

     has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
     code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

     is licensed under the GPL-3.0 License. This license is Strong Copyleft.
              Strong Copyleft licenses enforce sharing, and you can use them when creating open source projects.

            kandi-Reuse Reuse

     releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of
            Get all kandi verified functions for this library.

   Key Features

            No Key Features are available at this moment for

   Examples and Code Snippets

            No Code Snippets are available at this moment for

            Community Discussions


            Different domain with different phpmyadmin service and the "same port" problem (nginx reverse proxy, docker)
            Asked 2022-Mar-20 at 12:09

            I have a VPS with nginx-proxy container, and I create some wordpress website with phpmyadmin service. If I want to create another site with this definition I got "same port" problem. Ok, I can change the port to 2998 and it works fine but I need to add a new open port to my VPS. I don't want to add or change the port for each site.


            • -> example-a phpmyadmin login page
            • -> example-b phpymadmin login page

            Is there a way to direct me to the appropriate container by domain address?

            • -> example-a phpmyadmin login page
            • -> example-b phpymadmin login page

            My nginx proxy definition



            Answered 2022-Mar-07 at 12:49

            What you want is not possible, but you probably don't actually want it. It becomes clear once you think through what you want to configure, and what would happen if a user would go to either URL:

            • you have configured to point to your IP
            • you have configured to point to your IP
            • you have configured your nginx-proxy container to listen on ports 80 and 443
            • you want to configure your WordPress containers to both listen on port 2999
            • you, or rather the acme-companion, have configured your nginx container to forward HTTP requests that ask for host to go to the container for example A with port 2999, and requests that ask for to go to container B with port 2999

            Now, you can see right away that you have two things attempting to listen on the same network interface with port 2999 - that doesn't work, and it can't, because who would handle picking up incoming requests before the request is parsed to find out which host it wanted ? Container A can't accept the request and, if it's meant for B, hand the request over - A doesn't know about B.

            So if you think about a user sending a request to, what really happens is that a request goes to :2999, just like if a user goes to, it will end up going to :2999.

            How can that problem be solved ? By having a third container C that accepts user requests, looks into the request, and based on whether they wanted container A or B, hands the request over to A or B.

            Here is the great thing: you already have that! Container C is really your nginx container, which is listening on port 80/443. So if your users go to without providing a port, it will go to 80 or 443 (depending on whether they used http or https). Then, nginx will analyze the request, and send it to the correct container. For this, it doesn't really matter what port A and B listen on, because to the outside world, it looks like they are listening on 80/443.

            So the real answer is that while you can't combine custom ports with virtual hosts and use the same port for multiple containers (other than 80/443), you don't actually NEED custom ports in the first place! If you just configure your containers with the default ports, users can use both and and it will 'just work'™



            Azure DNS - Terraform - Ignore TXT Value
            Asked 2021-Nov-02 at 04:10

            I have some terrform code which works, but i want to able to ignore the DNS TXT Record value as this is updated externally using another tool (, I have tried multiple differnt types of HCL to ignore the value, the terraform HCL does not fail, just set's the value back to the original value

            Any help would be appreciated.



            Answered 2021-Nov-02 at 04:10

            I tried testing using the same code that you have provided and was successfully able to deploy the resources , then manually changed the value of record for portal and applied the terraform code again and it didn't do any changes just changed the value of the previous record to the newer value changes from portal in the terraform state file.

            Note: I used Terraform v1.0.5 on windows_amd64 + provider v2.83.0.

            As confirmed by @Lain , the issue was resolved after upgrading the azurerm from 2.70.0 to latest.



            Yaws basic auth letsencrypt
            Asked 2021-Oct-17 at 20:50

            I have a domain in stealth mode, protected by basic auth. Basic auth is not supported by Letsencrypt and probably never will (

            After moving from Nginx to Yaws, the next Letsencrypt renewal is scheduled. So here is a problem. I could disable basic auth in Yaws, do the renewal and then enable again, but that is no real solution.

            There are easy workarounds for Apache and Nginx, i.e. define an exception to basic auth for the directory /.well-known/acme-challenge.

            How to do that in Yaws? The basic auth definition for my domain in yaws.conf is now



            Answered 2021-Oct-17 at 20:50

            For each subdirectory you want to exclude, add a .yaws_auth file to that subdirectory with the contents



            Include Letsencrypt Root certificate in Azure Application Gateway
            Asked 2021-Oct-14 at 15:49

            I'm trying to folllow Azure Tutorial on how to get Api Management under a vnet and accessible through an application gateway (WAF). I'm stuck trying to upload the root cert into application gateway. It says that the "Data for certificate is invalid", apparently Azure Application gateway doesn’t like Letsencrypt certs.

            My certs are:


            I have used acmesh to generate all certs:



            Answered 2021-Aug-30 at 21:17

            Why you want to add the Lets Encrypt Root CA cert on your application gateway?

            From my understanding the Root CA from Lets Encrypt is ISRG Root X1 and this one should be already trusted by Clients (Browsers).You only want to add the Root CA if you have self signed certificates.

            Here is a workflow with storing the certs in Azure Key Vault:

            Another Workflow here describes adding certs with ACME challenges:



            Problem running acme-companion when setting up nginx-proxy
            Asked 2021-Sep-13 at 11:46

            I'm trying to run a fairly simple docker stack, but for some reason it is failing to register certificates.

            My composer:



            Answered 2021-Sep-13 at 11:46

            If anyone stumbles on to this issue then here is the fix. It seems to affect alpine version 3.13 and probably other ones.




            Installed GHOST on NGINX server and I broke it's ssl config file now NGINX won't restart
            Asked 2021-Aug-28 at 21:14
            server {
                listen 443 ssl http2;
                listen [::]:443 ssl http2;
                root /var/www/creationist/system/nginx-root; # Used for SSL verification (
                ssl_certificate /etc/letsencrypt/;
                ssl_certificate_key /etc/letsencrypt/;
                include /etc/nginx/snippets/ssl-params.conf;
                location / {
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header Host $http_host;
                location ~ /.well-known {
                    allow all;
                client_max_body_size 50m;
             proxy_pass http://websocket;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header HOST $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_pass_request_headers on;


            Answered 2021-Aug-28 at 21:14

            The error message says "proxy_pass" directive is not allowed here ...:28. If you check the line :28 you can see that you have some statements which starts with proxy_pass http://websocket; ... and which are out of the server {...} scope.

            The proxy pass directive must be used in the scope of a location. So I would remove everything which is out of server {...}. Also make sure that the service defined at line 17 (proxy_pass;) is up and running.



            Why can't write certificate.crt with acme?
            Asked 2021-Aug-03 at 12:15
            root@vultr:~# systemctl  status  nginx
            ● nginx.service - A high performance web server and a reverse proxy server
               Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
               Active: active (running) since Wed 2021-07-28 02:16:44 UTC; 23min ago
                 Docs: man:nginx(8)
             Main PID: 12999 (nginx)
                Tasks: 2 (limit: 1148)
               Memory: 8.2M
               CGroup: /system.slice/nginx.service
                       ├─12999 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
                       └─13000 nginx: worker process
            Jul 28 02:16:44 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
            Jul 28 02:16:44 vultr.guest systemd[1]: nginx.service: Failed to parse PID from file /run/ Invalid argument
            Jul 28 02:16:44 vultr.guest systemd[1]: Started A high performance web server and a reverse proxy server.


            Answered 2021-Aug-03 at 12:15

            From v3.0.0, is using Zerossl as default ca, you must register the account first(one-time) before you can issue new certs.

            Here is how ZeroSSL compares with LetsEncrypt.

            With ZeroSSL as CA

            You must register at ZeroSSL before issuing a certificate. To register run the below command (assuming is email with which you want to register)



            Docker rootless Error: you need to share your Docker host socket with a volume at /var/run/docker.sock
            Asked 2021-Jul-13 at 03:19

            I am trying to go rootless with Docker.

            I have followed all the steps presented in the official documentation. I also allowed the use of the unprivileged ports, to include the 443.

            To test if everything works the way I need it, I installed the "nginx-proxy-automation".

            Everything got installed flawlessly. However, the jrcs/letsencrypt-nginx-proxy-companion:2.1 container



            Answered 2021-Jul-13 at 03:14

            This is a jrcs/letsencrypt-nginx-proxy-companion specific bug, if you look in the docker-compose.yml you will see this.



            Postfix not using given ssl certificate
            Asked 2021-Apr-10 at 15:31

            I'm getting errors, such as the one below, in my /var/log/mail.log file.



            Answered 2021-Apr-10 at 15:31

            So, turns out, when I updated my certificate locations when I changed the method of acquiring them (certbot vs, I got a typo in one of the filenames. /etc/dovecot/conf.d/10-ssl.conf was correct and so was /etc/postfix/, but /etc/postfix/ had a typo which I didn't see previously - and so was throwing a certificate error.



            how to get into directory ~/'*' in bash script
            Asked 2021-Mar-11 at 00:10

            I have been using to generate several in-house website certificates

            Of late, I am trying to automate this task.

            I have the following within my bash script:



            Answered 2021-Mar-10 at 23:30

            cd [dir] is used to change the current directory. The optional dir is a single directory. You clarified that the directory in question had a literal '*' so escape that with cd ~/\*


            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported


            Check this project:
            Clone this project and launch installation:. You don't have to be root then, although it is recommended.
            Create and copy to your home dir ($HOME): ~/ All certs will be placed in this folder too.
            Create alias for:
            Create daily cron job to check and renew the certs if needed.
            After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You MUST use this command to copy the certs to the target files, DO NOT use the certs files in ~/ folder, they are for internal use only, the folder structure may change in the future. Only the domain is required, all the other parameters are optional. The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission. Install/copy the cert/key to the production Apache or Nginx path. The cert will be renewed every 60 days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: service apache2 force-reload or service nginx force-reload.


   CA(default) CAPebble strict ModeAny other RFC8555-compliant CA
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries

            Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular TLS Libraries


            by FiloSottile


            by 2dust


            by acmesh-official


            by digitalocean


            by 233boy

            Try Top Libraries by acmesh-official


            by acmesh-officialShell


            by acmesh-officialShell