lego VS cli

Self contained but hardly a tiny supply chain attack surface: https://github.com/go-acme/lego/blob/master/go.sum

This ACME client looks promising, but I haven’t tried it yet: https://github.com/go-acme/lego

My favorite method of obtaining certificates is with lets encrypt and LEGO

Caddy where possible, and acme.sh or lego where not.

Depend on host's capability... - lego - dehydrated - caddy - in case it already works as a web server, it will automatically issue and renew certs

u/gregtwallace maybe in the short term until you write your own, you could provide a hook into one of the many ACME client implementations which do DNS-01 and support the majority of major DNS provider APIs out of the box? That would make your (really great!) project much more widely usable.

https://github.com/smallstep/cli implements some OAuth flows from the CLI, it may be helpful for you.

Is the according command line tool (https://github.com/smallstep/cli) from smallstep free and behind this GUI?

And they have an open issue for producing a chocolatey package: https://github.com/smallstep/cli/issues/365

I'm biased because I'm the founder of the company, but you should check out the certificate management toolchain (CA[1] and CLI[2]) we've built at smallstep. A big focus of the project is human-friendliness. It's not perfect (yet) but I think we've made some good progress.

We also have a hosted option[3] with a free tier that should work for individuals, homelabs, pre-production, and even small production environments. We've started building out a management UI there, and it does map to the CLI as you've described :).

[1] https://github.com/smallstep/certificates

[2] https://github.com/smallstep/cli

[3] https://smallstep.com/certificate-manager/

https://github.com/smallstep/cli is pretty amazing, tbh. Documentation is just as stellar!

https://github.com/smallstep/cli may be a bit overkill for your needs, but it's an epic toolkit and well worth checking out!