acme2certifier

acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries:

• acme_srv/*.py - a bunch of classes implementing ACME server functionality based on rfc8555
• ca_handler.py - interface towards CA server. The intention of this library is to be modular that an adaption to other CA servers should be straight forward. As of today the following handlers are available:
  • Openssl
  • NetGuard Certificate Manager/Insta Certifier
  • NetGuard Certificate Lifecycle Manager
  • Generic EST protocol handler
  • Generic CMPv2 protocol handler
  • Microsoft Certificate Enrollment Web Services
  • Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM
  • Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL
  • XCA
  • acme2dfn (external; ACME proxy for the German research network's SOAP API)

For more up-to-date information and further documentation, please visit the project's home page at: https://github.com/grindsa/acme2certifier

ChangeLog

Release notes and ChangLog can be found at https://github.com/grindsa/acme2certifier/releases

Disclaimer

Following acme-clients are used for regular testing of server functionality

• acme.sh
• Certbot
• lego
• acmeshell
• cert-manager
• win-acme
• Posh-ACME

Other clients are on my list for later testing. In case you are bored, feel free to test other ACME clients and raise issues if something does not work as expected.

Command-line parameters used for testing

I am not a professional developer. Keep this in mind while laughing about my code and don’t forget to send patches.

Project status

As of today acme2certifier supports the below ACME functions:

• "directory" resource (Section 7.1.1)
• "newNonce" resource (Section 7.2)
• "newAccount" resource (Section 7.3)
  • Finding an Account URL Given a Key (Section 7.3.1)
  • Account update (Section 7.3.2)
  • Exernal Account Binding (Section 7.3.4)
  • Key Rollover (Section 7.3.5)
  • Account Deactivation (Section 7.3.6)
• "new-order" resource (Section 7.4)
• "order finalization" (Section 7.4)
• "certificate download" (Section 7.4.2)
• "authz" resource (Section 7.5)
• "challenge" resource (Section 7.5.1)
• "certificate revocation" (Section 7.6)

Starting from version 0.4 acme2certifer includes experimental support for TNAuthList identifiers and tkauth-01 challenges. Check tnauthlist.md for further information.

Starting from version 0.8 acme2certifier supports certificate polling and call backs from CA servers. These calls are not standardized but important to use acme2certifier together with classical enterprise CA servers,

Following challenge types are supported:

• http-01
• dns-01
• tls-alpn-01
• tkauth-01

Additional functionality will be added over time. If you are badly missing a certain feature please raise an issue to let me know.

Installation

The proxy can run either as plain wsgi-script on either apache or nginx or as django project. Running acme2certifier as django project allows to use other database backends than SQLite.

The fastest and most convenient way to install acme2certifier is to use docker containers. There are ready made images available at dockerhub and ghcr.io as well as instructions to build your own container.

• acme2certifier in Github container repository
• acme2certifier repository at hub.docker.com
• Instructions to build your own container
• Installation as wsgi-script running on apache2
• Installation as wsgi-script running on NGINX

Contributing

Please read CONTRIBUTING.md for details on my code of conduct, and the process for submitting pull requests. Please note that I have a life besides programming. Thus, expect a delay in answering.

Versioning

I use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the GPLv3 - see the LICENSE file for details