acme-tiny VS acme-dns

Going to throw another hat into the ring here: I use acme-tiny [1], which is a single file ACME client written in Python in under 200 lines. The idea behind it is that you can fully read and understand everything it does without spending too much time on it. I really like this approach, so I went ahead and started using it, and have been for a few years now.

[1] https://github.com/diafygi/acme-tiny

Let’s Encrypt with ACME-Tiny

Recommendation from me as well. Have been using this script for multiple years now without a single issue. The minimal code is awesome for avoiding unnecessary external dependencies and complexity.

Be sure to use the latest version from https://github.com/diafygi/acme-tiny though :-)

Getting a wildcard certificate from LE might be a better option, depending on how easy the extra bit of if plumbing is with your lab setup.

You need to use DNS based domain identification, and once you have a cert distribute it to all your services. The former can be automated using various common tools (look at https://github.com/joohoi/acme-dns, self-hosted unless you are only securing toys you don't really care about, if you self host DNS or your registrar doesn't have useful API access) or you can leave that as an every ~ten weeks manual job, the latter involves scripts to update you various services when a new certificate is available (either pushing from where you receive the certificate or picking up from elsewhere). I have a little VM that holds the couple of wildcard certificates (renewing them via DNS01 and acmedns on a separate machine so this one is impossible to see from the outside world), it pushes the new key and certificate out to other hosts (simple SSH to copy over then restart nginx/Apache/other).

Of course you may decide that the shin if your own CA is easier than setting all this up, as you can sign long lived certificates for yourself. I prefer this because I don't need to switch to something else if I decide to give friends/others access to something.

One of my inspirations for getlocalcert is a tool to make DNS-01 easier.

acme-dns let's you add a CNAME to another DNS zone, which let's you issue certificates for the former domain name using a convenient API for the latter zone. Seriously read about it, it's awesome.

https://github.com/joohoi/acme-dns/

That tool is open source and self-hostable. getlocalcert also provides this feature, but as a hosted service. Choose the method you prefer.

https://docs.getlocalcert.net/tips/validation-domain/

Once DNS-01 is easy, wildcard certs are easy. Here's the docs for setting up a wildcard cert via getlocalcert:

This leverages the ACME DNS server which has a REST API:

* https://github.com/joohoi/acme-dns

If your DNS provider has an API, you can hook into that for internal-only web servers; this handy code supports several dozen APIs so you don't have to re-invent the wheel:

* https://github.com/AnalogJ/lexicon

* https://pypi.org/project/dns-lexicon/

* https://dns-lexicon.readthedocs.io/en/latest/user_guide.html

As someone else said, it’s a huge pain to run your own dns services. However, if you want some separation, I recently saw https://github.com/joohoi/acme-dns

v0.9.1 is out and natively supports both https://github.com/joohoi/acme-dns and any dns provider available in https://github.com/acmesh-official/acme.sh

What DNS challenge providers are supported? Specifically, is acme-dns (https://github.com/joohoi/acme-dns) supported?

I have set up an acme-dns server to answer ACME DNS Challenges: https://github.com/joohoi/acme-dns

Wanting to set up acme-dns for acquiring wildcard certificates. I have a decent understanding of DNS and Let's Encrypt (at least HTTP validation), but there are a few things I don't quite understand after having read the instructions. Can't really find any sort of support channel.