{"id":22799435,"url":"https://github.com/fgouteroux/acme-manager","last_synced_at":"2025-04-19T16:44:02.869Z","repository":{"id":265088705,"uuid":"893983805","full_name":"fgouteroux/acme-manager","owner":"fgouteroux","description":"Manage acme certificates and deploy them on servers","archived":false,"fork":false,"pushed_at":"2025-04-07T13:50:32.000Z","size":845,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-07T14:40:18.774Z","etag":null,"topics":["acme","certificate","memberlist","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fgouteroux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-25T14:48:46.000Z","updated_at":"2025-04-07T13:50:20.000Z","dependencies_parsed_at":"2024-11-27T16:19:22.370Z","dependency_job_id":"b9e82b3b-e695-4053-95e0-7bea673f0331","html_url":"https://github.com/fgouteroux/acme-manager","commit_stats":null,"previous_names":["fgouteroux/acme-manager"],"tags_count":29,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgouteroux%2Facme-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgouteroux%2Facme-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgouteroux%2Facme-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fgouteroux%2Facme-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fgouteroux","download_url":"https://codeload.github.com/fgouteroux/acme-manager/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249740838,"owners_count":21318709,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","certificate","memberlist","vault"],"created_at":"2024-12-12T07:08:55.959Z","updated_at":"2025-04-19T16:44:02.861Z","avatar_url":"https://github.com/fgouteroux.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# acme_manager\n\nACME Manager is a tool designed to create, manage, and deploy ACME certificates on servers. It handles automatic renewal, monitors expiration dates, and ensures seamless deployment for applications or proxies.\n\n![Acme Manager](img/home.png)\n\n## Features\n\n- **Certificate Management**: Automatically renew certificates 30 days before expiration.\n- **Cluster Mode**: Operates in a cluster using the Memberlist protocol with automatic leader election.\n- **Vault Storage**: Stores certificates securely in Vault.\n- **DNS/HTTP Challenges**: Supports both challenge methods for domain validation.\n- **Metrics and Monitoring**: Provides application prometheus metrics and a web UI for certificate management.\n- **Automatic refresh**: Configuration file are periodically refreshed without any service restart.\n- **Client Local Certificate**: Ensure that client local certificate deployed are always up-to-date.\n- **Client Local Cmd Run**: Run a custom command once certificate have been created/updated/renewed/deployed on the client.\n\n## How It Works\n\n1. ACME Manager creates certificates using [ACME](https://datatracker.ietf.org/doc/html/rfc8555).\n2. Certificates are stored securely in Vault.\n3. The application monitors expiration dates and renews certificates as needed. (by default 30d before expiration)\n\n\n### Usage\n\n```\nusage: acme_manager [\u003cflags\u003e]\n\n\nFlags:\n  -h, --[no-]help                Show context-sensitive help (also try --help-long and --help-man).\n      --server.listen-address=\":8989\"  \n                                 server listen address\n      --server.tls-cert-file=SERVER.TLS-CERT-FILE  \n                                 server tls certificate file\n      --server.tls-key-file=SERVER.TLS-KEY-FILE  \n                                 server tls key file\n      --server.tls-client-ca-file=SERVER.TLS-CLIENT-CA-FILE  \n                                 Root certificate authority used to verify client certificates\n      --server.http-read-timeout=300  \n                                 Read timeout for entire HTTP request, including headers and body\n      --server.http-read-header-timeout=10  \n                                 Read timeout for HTTP request headers\n      --config-path=\"config.yml\"  \n                                 Config path\n      --env-config-path=\".env\"   Environment vars config path\n      --check-renewal-interval=30m  \n                                 Time interval to check if certificate renewal needed\n      --check-config-interval=30s  \n                                 Time interval to check if config file changes\n      --check-token-interval=1m  Time interval to check if tokens expired\n      --check-issuer-interval=10m  \n                                 Time interval to check issuer health\n      --ring.instance-id=RING.INSTANCE-ID  \n                                 Instance ID to register in the ring.\n      --ring.instance-addr=RING.INSTANCE-ADDR  \n                                 IP address to advertise in the ring. Default is auto-detected.\n      --ring.instance-port=7946  Port to advertise in the ring.\n      --ring.instance-interface-names=RING.INSTANCE-INTERFACE-NAMES  \n                                 List of network interface names to look up when finding the instance IP address.\n      --ring.join-members=RING.JOIN-MEMBERS  \n                                 Other cluster members to join.\n      --[no-]client              Enables client mode.\n      --[no-]client.pull-only    Set client in pull mode. Manage local certificate files based on remote server changes.\n      --client.manager-url=\"http://localhost:8989/api/v1\"  \n                                 Client manager URL ($ACME_MANAGER_URL)\n      --client.manager-token=CLIENT.MANAGER-TOKEN  \n                                 Client manager token ($ACME_MANAGER_TOKEN)\n      --client.tls-ca-file=CLIENT.TLS-CA-FILE  \n                                 Client manager tls ca certificate file\n      --client.tls-cert-file=CLIENT.TLS-CERT-FILE  \n                                 Client manager tls certificate file\n      --client.tls-key-file=CLIENT.TLS-KEY-FILE  \n                                 Client manager tls key file\n      --[no-]client.tls-skip-verify  \n                                 Client manager tls skip verify\n      --client.config-path=\"client-config.yml\"  \n                                 Client config path\n      --client.check-config-interval=5m  \n                                 Time interval to check if client config file changes and to update local certificate file\n      --log.level=info           Only log messages with the given severity or above. One of: [debug, info, warn, error]\n      --log.format=logfmt        Output format of log messages. One of: [logfmt, json]\n      --[no-]version             Show application version.\n```\n\n### Cluster Mode\n\nAcme Manager run in cluster mode with the memberlist protocol.\n\n![Memberlist](img/memberlist.png)\n\nOne instance of the ring is elected to be the leader and this is the only one which will make request to acme servers, store certificate in vault and store non-sensitive data in the key value store of the ring.\n\nIf the leader instance goes down, another one will be elected and will start to manage certificates.\n\n### Env File\n\nAcme Manager load environment variables from .env file.\nIt's use to configure the dns challenge as lego library need it.\n\n### Config file\n\nAny valid acme issuers could be added in issuer block.\n\nPrivate keys must exists for each given issuer in `rootpath_account`, here:\n- /tmp/accounts/sectigo/private_key.pem\n- /tmp/accounts/letsencrypt/private_key.pem\n\n```\ncommon:\n  api_key_hash: 123abc456def\n  rootpath_account: /tmp/accounts\n  rootpath_certificate: /tmp/certificates\n\nissuer:\n  sectigo:\n    ca_dir_url: https://acme.sectigo.com/v2/OV\n    eab: true\n    kid: kid_value\n    hmac: hmac_value\n  letsencrypt:\n    ca_dir_url: https://acme-staging-v02.api.letsencrypt.org/directory\n\nstorage:\n  vault:\n    role_id: \"role_id_value\"\n    secret_id: \"secret_id_value\"\n    url: \" https://vault.example.com\"\n    secret_engine: \"myengine\"\n    certificate_prefix: \"certificates\"\n    token_prefix: \"tokens\"\n    mount_path: \"login/approle\"\n```\n\nRequired Common parameters:\n- **api_key_hash** (string): the api key hash used to manage tokens.\n- **rootpath_account** (string): path to find issuer private keys and account file\n- **rootpath_certificate** (string): path to temporary store certificate file before storing in vault.\n\nOptional Common parameters:\n- **cert_days_renewal** (int): Number of days before certificate should be renewed (default: 30).\n\nOptional Issuer parameters:\n- **eab** (bool): Use External Account Binding for account registration. Requires `kid` and `hmac`.\n- **kid** (string): Key identifier from External CA. Used for External Account Binding\n- **hmac** (string): MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.\n- **http_challenge** (string): http challenge name to use for domain validation\n- **dns_challenge** (string): dns challenge name to use for domain validation\n- **contact** (string): email used for registration and recovery contact\n- **overall_request_limit** (int): ACME overall requests limit\n- **certificate_timeout** (int): set the certificate timeout value in seconds when obtaining a certificate\n- **unregister** (bool): deletes the account registration from issuer. ACME does not provide a way to reactivate a deactivated account. If you want to register an account you must use a new private key.\n\n### Server Mode\n\nManage certificate with API endpoints in a secured way.\n\n| HTTP Method            | Endpoint                     |  Auth Type Supported       |\n|------------------------|------------------------------|----------------------------|\n| GET                    | /api/v1/certificate/metadata | Bearer Token               |\n| GET, POST, PUT, DELETE | /api/v1/certificate          | Bearer Token               |\n| GET, POST, PUT, DELETE | /api/v1/token                | API key Header             |\n\nSee swagger page: http://localhost:8989/swagger/index.html\n\n#### Generate an API key:\n```\n# Generate a random string\nAPI_KEY=$(openssl rand -base64 32)\n\n# Hash the random string with SHA1 and put it in the `api_key_hash` of acme manager config\n$ echo -n $API_KEY | sha1sum\n96a0585f6d3c3f90f74cdb963e7664f2ee8a10bb  -\n\n# Your API KEY to use for curl command and others.\n$ echo $API_KEY\nGMZgFB3nYxTgISIqr8YAezgNpxePJqgOeU9o3/JRwS8=\n\n```\n\n#### Token endpoint\n\nRequired parameters:  \n- **username** (string): token username\n- **scope** (list of string): token scope\n\nOptional parameters:\n- **expires** (string): token duration (if not set, expires never)\n\n##### Obtain a new token:\n```\ncurl -XPOST \\\n  'http://localhost:8989/api/v1/token' \\\n  -H \"X-API-Key: GMZgFB3nYxTgISIqr8YAezgNpxePJqgOeU9o3/JRwS8=\" \\\n  -d '{\n  \"username\":\"testfgx\",\n  \"scope\":[\"read\",\"create\",\"update\",\"delete\"]\n}'\n\n{\n  \"expires\": \"Never\",\n  \"id\": \"94e0c649-de98-476a-a5cc-ff1201512605\",\n  \"scope\": [\n    \"read\",\n    \"create\",\n    \"update\",\n    \"delete\"\n  ],\n  \"token\": \"OTRlMGM2NDktZGU5OC00NzZhLWE1Y2MtZmYxMjAxNTEyNjA1OkczdTFUSkUtc1FCM05veEhtQXNVcW0xYXd4OXp4Z19V\",\n  \"tokenHash\": \"2fba65b7e4c953148427407cd556c9b49043e1a4\",\n  \"username\": \"testfgx\"\n}\n```\n\n##### Update the token scope and add expiration time to 30days\n```\ncurl -XPUT \\\n  'http://localhost:8989/api/v1/token' \\\n  -H \"X-API-Key: GMZgFB3nYxTgISIqr8YAezgNpxePJqgOeU9o3/JRwS8=\" \\\n  -d '{\n  \"id\": \"94e0c649-de98-476a-a5cc-ff1201512605\",\n  \"username\":\"testfgx\",\n  \"scope\":[\"read\"], \"expires\":\"30d\"}\n}'\n\n{\n  \"expires\": \"2025-02-09 11:09:01 +0000 UTC\",\n  \"id\": \"94e0c649-de98-476a-a5cc-ff1201512605\",\n  \"scope\": [\n    \"read\"\n  ],\n  \"token\": \"OTRlMGM2NDktZGU5OC00NzZhLWE1Y2MtZmYxMjAxNTEyNjA1OmpTeGtoUUwzd0MwQWl4Vzk1aU9mVjM4RzdIbWwzQ0F6\",\n  \"tokenHash\": \"e7bf79d0b679fe56014cb8e87358ac459880f6dd\",\n  \"username\": \"testfgx\"\n}\n```\n\n##### Read the token (no token value, contain only the hash)\n```\ncurl -XGET \\\n  'http://localhost:8989/api/v1/token/94e0c649-de98-476a-a5cc-ff1201512605' \\\n  -H \"X-API-Key: GMZgFB3nYxTgISIqr8YAezgNpxePJqgOeU9o3/JRwS8=\"\n\n{\n  \"hash\": \"e7bf79d0b679fe56014cb8e87358ac459880f6dd\",\n  \"scope\": [\n    \"read\"\n  ],\n  \"username\": \"testfgx\",\n  \"expires\": \"2025-02-09 11:09:01 +0000 UTC\"\n}\n```\n\n##### Revoke the token\n```\ncurl -XDELETE \\\n  'http://localhost:8989/api/v1/token/94e0c649-de98-476a-a5cc-ff1201512605' \\\n  -H \"X-API-Key: GMZgFB3nYxTgISIqr8YAezgNpxePJqgOeU9o3/JRwS8=\" \\\n```\n\n#### Certificate endpoint\n\nRequired parameters:  \n- **domain** (string): domain certificate\n- **issuer** (string): issuer certificate\n- **csr** (string): certificate signing request in PEM format and base64 encoded\n\nOptional parameters:\n- **bundle** (bool): if true, add the issuers certificate to the new certificate\n- **renewal_days** (string): number of days or interval of days before automatic certificate renewal\n- **days** (int): number of days before certificate expiration\n- **san** (string, comma separated): DNS domain names to add to certificate\n- **http_challenge** (string): http challenge name to use for domain validation\n- **dns_challenge** (string): dns challenge name to use for domain validation\n\n\n##### Get the certificate\n```\ncurl -X 'GET' \\\n  'http://localhost:8989/api/v1/certificate/letsencrypt/testfgx01.example.com' \\\n  -H 'accept: application/json' \\\n  -H 'Authorization: Bearer MDIxYjUwNzUtMmQ....'\n\n{\n  \"cert\": \"-----BEGIN CERTIFICATE-----\\nMIIFUT...\\n-----END CERTIFICATE-----\\n\",\n  \"csr\": \"LS0...\",\n  \"ca_issuer\": \"\\n-----BEGIN CERTIFICATE-----\\nMIIFTT...\\n-----END CERTIFICATE-----\\n\",\n  \"issuer\": \"letsencrypt\",\n  \"url\": \"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b8cfad6a7516ac17349...\",\n  \"domain\": \"testfgx01.example.com\",\n  \"owner\": \"testfgx\"\n}\n```\n\n##### Obtain a new certificate\n\n```\ncurl -X 'POST' \\\n  'http://localhost:8989/api/v1/certificate' \\\n  -H 'accept: application/json' \\\n  -H 'Authorization: Bearer MDIxYjUwNzUtMmQ....' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\n  \"dns_challenge\": \"ns1\",\n  \"domain\": \"testfgx01.example.com\",\n  \"issuer\": \"letsencrypt\",\n  \"renewal_days\": \"30\",\n  \"csr\": \"LS0...\"\n}'\n\n{\n  \"cert\": \"-----BEGIN CERTIFICATE-----\\nMIIFUT...\\n-----END CERTIFICATE-----\\n\",\n  \"csr\": \"LS0...\",\n  \"ca_issuer\": \"\\n-----BEGIN CERTIFICATE-----\\nMIIFTT...\\n-----END CERTIFICATE-----\\n\",\n  \"issuer\": \"letsencrypt\",\n  \"url\": \"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b8cfad6a7516ac17349...\",\n  \"domain\": \"testfgx01.example.com\",\n  \"owner\": \"testfgx\"\n}\n```\n\n##### Update a certificate (will revoke the old one and create a new one)\n\n```\ncurl -X 'PUT' \\\n  'http://localhost:8989/api/v1/certificate' \\\n  -H 'accept: application/json' \\\n  -H 'Authorization: Bearer MDIxYjUwNzUtMmQ....' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\n  \"dns_challenge\": \"ns1\",\n  \"domain\": \"testfgx01.example.com\",\n  \"issuer\": \"letsencrypt\",\n  \"renewal_days\": \"30\",\n  \"san\": \"testfgx02.example.com\",\n  \"csr\": \"LS0...\"\n}'\n\n{\n  \"cert\": \"-----BEGIN CERTIFICATE-----\\nMIIFUT...\\n-----END CERTIFICATE-----\\n\",\n  \"csr\": \"LS0...\",\n  \"ca_issuer\": \"\\n-----BEGIN CERTIFICATE-----\\nMIIFTT...\\n-----END CERTIFICATE-----\\n\",\n  \"issuer\": \"letsencrypt\",\n  \"url\": \"https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b8cfad6a7516ac17349...\",\n  \"domain\": \"testfgx01.example.com\",\n  \"owner\": \"testfgx\"\n}\n```\n\n##### Revoke a certificate\n\n```\ncurl -X 'DELETE' \\\n  'http://localhost:8989/api/v1/certificate/letsencrypt/testfgx01.example.com' \\\n  -H 'accept: application/json' \\\n  -H 'Authorization: Bearer MDIxYjUwNzUtMmQ....'\n```\n\nToken and certificate are retrieved from vault for each get api call.\n\n\n### Client Mode\n\nAcme manager could run in client mode to obtain certificate from acme manager server.\n\nIt need the acme manager server url and a token.\n\nThe client start with reading the config file, check certificates from acme manager server and deploy them.\nIt regulary check if certificate have been renewed/changed and redeploy them.\n\nLocal certificate deployment are controlled by `certificate_deploy` in common block.\n\nIt is also possible to execute a custom command once certificate have been generated/revoked wih `cmd_enabled`.\n\nThe client start a webserver to expose some metrics.\n\n```\n$ acme_manager --client.config-path config.yml --client\n\nts=2025-01-10T10:18:49.077Z caller=client.go:40 level=info msg=\"Checking certificates from config file\"\nts=2025-01-10T10:18:49.165Z caller=client.go:224 level=info msg=\"Deployed certificate /etc/myapp/ssl/letsencrypt/testfgx01.example.com.crt\"\nts=2025-01-10T10:18:49.165Z caller=client.go:233 level=info msg=\"Deployed private key /etc/myapp/ssl/letsencrypt/testfgx01.example.com.key\"\nts=2025-01-10T10:18:49.173Z caller=cmd.go:29 level=info msg=\"Command '/usr/bin/systemctl reload myapp' successfully executed\"\nts=2025-01-10T10:18:49.174Z caller=main.go:269 level=info msg=\"Listening on\" address=:8989\nts=2025-01-10T10:18:49.174Z caller=main.go:271 level=info msg=\"TLS is disabled.\" address=:8989\n\n```\n\n#### Client Certificate config file\n\nOptional Common parameters:\n- **certificate_deploy** (bool): If set to true, deploy certificate and private key in given `certificate_dir`\n- **certificate_backup** (bool): If set to true, backup certificate and private key in given storage `vault` config\n- **certificate_dir** (string): Directory in which to deploy issuers certificates and private keys\n- **certificate_dir_perm** (uint32): Unix permission for certificate directory in octal format (default: 0700)\n- **certificate_file_perm** (uint32): Unix permission for certificate file in octal format (default: 0600)\n- **certificate_keyfile_perm** (uint32): Unix permission for certificate key file in octal format (default: 0600)\n- **certificate_file_ext** (string): certificate file extension (default: \".crt\")\n- **certificate_keyfile_ext** (string): certificate key file extension (default: \".key\")\n- **certificate_keyfile_no_generate** (bool): It set to true, don't auto generate private key, use provided file (default: false)\n- **cmd_enabled** (bool): If set to true, allow running pre and post command.\n- **pre_cmd_run** (string): Pre Command to run before executing certificate changes.\n- **pre_cmd_timeout** (int): Pre Command timeout (default: 60)\n- **post_cmd_run** (string): Post Command to run after executing certificate changes.\n- **post_cmd_timeout** (int): Post Command timeout (default: 60)\n- **revoke_on_update** (bool): If set to true, revoke the old certificate on update (default: false)\n- **revoke_on_delete** (bool): If set to true, revoke the certificate on delete (default: false)\n- **delay_before_delete** (string): If set, define a duration to wait before deleting certificate\n \nOptional Certificate parameters:\n- **bundle** (bool): if true, add the issuers certificate to the new certificate\n- **renewal_days** (string): number of days or interval of days before automatic certificate renewal\n- **days** (int): number of days before certificate expiration\n- **san** (string, comma separated): DNS domain names to add to certificate\n- **http_challenge** (string): http challenge name to use for domain validation\n- **dns_challenge** (string): dns challenge name to use for domain validation\n- **labels** (key=value string, comma separated): labels to attach to the certificate, used by the metric `acme_manager_certificate_expiry`\n\n\n```\ncommon:\n  certificate_deploy: true\n  certificate_backup: true\n  certificate_dir: /etc/myapp/ssl/\n\n  cmd_enabled: true\n  post_cmd_run: /usr/bin/systemcl reload myapp\n  post_cmd_timeout: 30\n\nstorage:\n  vault:\n    role_id: \"role_id_value\"\n    secret_id: \"secret_id_value\"\n    url: \" https://vault.example.com\"\n    secret_engine: \"myengine\"\n    certificate_prefix: \"backup/certificates\"\n    mount_path: \"login/approle\"\n\ncertificate:\n  - domain: testfgx01.example.com\n    issuer: letsencrypt\n\n  - domain: testfgx02.example.com\n    issuer: sectigo\n```\n\n### DNS and HTTP Challenge\n\nacme-manager support DNS and HTTP challenge (thanks to lego lib).\n\n#### HTTP Challenge\n\n- [memcached](https://github.com/go-acme/lego/blob/master/providers/http/memcached/memcached.go)\n- [s3](https://github.com/go-acme/lego/blob/master/providers/http/s3/s3.go)\n- [webroot](https://github.com/go-acme/lego/blob/master/providers/http/webroot/webroot.go)\n- [acme-manager kvring](https://github.com/fgouteroux/acme-manager/blob/main/certstore/http_challenge.go)\n\nThe acme-manager `kvring` challenge, allow HTTP domain validation with the embedded HTTP endpoint in acme manager.\n\nSetting the `http_challenge: kvring`, will store the challenge token in kvring and it could be retrieved with a call like:\n```\ncurl http://testfgx01.example.com/.well-known/acme-challenge/NClsmGOVJqV9jx8xBLO6kabcxBufpLGcu5oUjjhhu1o\n```\n\nOnce the domain is validated, the challenge token value is removed from kvring.\n\n#### DNS Challenge\n\nAll DNS Providers from lego lib.\n\nFor environment vars available for each DNS provider, check the [lego page](https://go-acme.github.io/lego/dns/).\n\nExample for [NS1](https://go-acme.github.io/lego/dns/ns1/):\n\n- `NS1_API_KEY=\"secretapikey\"`\n- `NS1_TTL=\"120\"`\n- `NS1_HTTP_TIMEOUT=\"10\"`\n- `NS1_POLLING_INTERVAL=\"2\"`\n- `NS1_PROPAGATION_TIMEOUT=\"60\"`\n\nEnvironment vars available to customize the dns check:\n\n- `ACME_MANAGER_DNS_PROPAGATIONDISABLEANS`: By setting this var to true, disables the need to await propagation of the TXT record to all authoritative name servers.\n- `ACME_MANAGER_DNS_PROPAGATIONRNS`: By setting this var to true, use all the recursive nameservers to check the propagation of the TXT record.\n- `ACME_MANAGER_DNS_PROPAGATIONWAIT`: By setting this var, disables all the propagation checks of the TXT record and uses a wait duration instead.\n- `ACME_MANAGER_DNS_RESOLVERS`: Set the resolvers to use for performing DNS requests, by default it is the authoritative DNS server\n- `ACME_MANAGER_DNS_TIMEOUT`: the DNS timeout value in seconds when performing authoritative name server queries, (default: \"10\").\n\n### Managed certificate web UI\n\nThe endpoint http://localhost:8989/certificates return the page for all managed certificate.\n\n### Managed token web UI\n\nThe endpoint http://localhost:8989/tokens return the page for all managed tokens.\n\n### Metrics Exposed\n\n**App metrics**\n\nThis endpoint return metrics about app itself.\n\n```\n# HELP acme_manager_build_info A metric with a constant '1' value labeled by version, revision, branch, goversion from which acme_manager was built, and the goos and goarch for the build.\n# TYPE acme_manager_build_info gauge\nacme_manager_build_info{branch=\"HEAD\",goarch=\"amd64\",goos=\"linux\",goversion=\"go1.22.10\",revision=\"f9b7946ad9150bfd1e9b19ff5d1f8b47ceffdbc3\",tags=\"unknown\",version=\"0.1.5\"} 1\n# HELP acme_manager_certificate_created_total Number of created certificates by issuer and owner\n# TYPE acme_manager_certificate_created_total counter\nacme_manager_certificate_created_total{issuer=\"letsencrypt\",owner=\"testfgx\"} 1\nacme_manager_certificate_created_total{issuer=\"sectigo\",owner=\"testfgx\"} 1\n# HELP acme_manager_certificate_revoked_total Number of revoked certificates by issuer and owner\n# TYPE acme_manager_certificate_revoked_total counter\nacme_manager_certificate_revoked_total{issuer=\"sectigo\",owner=\"testfgx\"} 1\n# HELP acme_manager_certificate_total Number of managed certificates by issuer and owner\n# TYPE acme_manager_certificate_total gauge\nacme_manager_certificate_total{issuer=\"letsencrypt\",owner=\"testfgx\"} 1\nacme_manager_certificate_total{issuer=\"sectigo\",owner=\"testfgx\"} 1\n# HELP acme_manager_issuer_config_error 1 if there was an error with issuer config, 0 otherwise\n# TYPE acme_manager_issuer_config_error gauge\nacme_manager_issuer_config_error{issuer=\"letsencrypt\"} 0\nacme_manager_issuer_config_error{issuer=\"sectigo\"} 0\n# HELP acme_manager_vault_delete_secret_success_total Number of created vault secrets\n# TYPE acme_manager_vault_delete_secret_success_total counter\nacme_manager_vault_delete_secret_success_total 1\n# HELP acme_manager_vault_get_secret_success_total Number of retrieved vault secrets\n# TYPE acme_manager_vault_get_secret_success_total counter\nacme_manager_vault_get_secret_success_total 5\n# HELP acme_manager_vault_put_secret_success_total Number of created/updated vault secrets\n# TYPE acme_manager_vault_put_secret_success_total counter\nacme_manager_vault_put_secret_success_total 2\n```\n\n### Limitations\n\nCurrently only vault storage with app role login is supported.\n\n### TLS and basic authentication\n\nAcme Manager supports TLS and basic authentication. This enables better control of the various HTTP endpoints.\n\nTo use TLS and/or basic authentication, you need to pass a configuration file using the `--web.config.file` parameter. The format of the file is described\n[in the exporter-toolkit repository](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).\n\n### Sources\n\n- [Lego](https://github.com/go-acme/lego)\n- [Hashicorp Memberlist](https://github.com/hashicorp/memberlist)\n- [Grafana Distributed systems kit](https://github.com/grafana/dskit)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffgouteroux%2Facme-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffgouteroux%2Facme-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffgouteroux%2Facme-manager/lists"}