README
ΒΆ
ACME Manager Documentation
Complete documentation for ACME Manager - an automated certificate management system with high availability clustering.
π Documentation
- User Documentation - For end users managing certificates
- Administrator Documentation - For system administrators
π Quick Links
For Users
For Administrators
ποΈ Architecture at a Glance
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ACME Manager Cluster β
β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β Instance βββββββΊβ Instance βββββββΊβ Instance β β
β β #1 β β #2 β β #3 β β
β β (Leader) β β(Follower)β β(Follower)β β
β ββββββ¬ββββββ ββββββββββββ ββββββββββββ β
β β β
β β Memberlist Protocol β
β β β
βββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββΊ Vault (Certificate Storage)
ββββββββΊ ACME Servers (Let's Encrypt, Sectigo)
ββββββββΊ Clients (Certificate Deployment)
β¨ Key Features
- Automatic Renewal: Certificates renewed 20-30 days before expiration
- High Availability: Distributed cluster with automatic leader election
- Secure Storage: All certificates stored in HashiCorp Vault
- Multiple Challenges: DNS and HTTP ACME challenge support
- Client Mode: Automated deployment to remote servers
- Web UI: Certificate and token management interface
- Monitoring: Prometheus metrics and alerting
- Plugin System: Extensible architecture for custom integrations
π¦ Components
Server Mode
The cluster nodes that handle certificate management:
- Certificate creation and renewal
- ACME server communication
- Vault storage integration
- API and Web UI endpoints
Client Mode
Agents deployed on servers to fetch and deploy certificates:
- Automatic certificate retrieval
- Local file deployment
- Post-deployment command execution
- Certificate monitoring
π Security Features
- Token-based Authentication: Scoped access control
- TLS Support: Secure API communication
- Vault Integration: Encrypted certificate storage
- AppRole Authentication: Secure Vault access
- Audit Logging: Complete operation tracking
- Plugin Verification: Checksum validation for plugins
π Monitoring
Built-in Prometheus metrics for:
- Certificate operations (create, renew, revoke)
- Cluster health and leader status
- Vault operation success/failure rates
- Token management
- ACME issuer health
π οΈ Technology Stack
- Language: Go 1.24+
- Clustering: HashiCorp Memberlist
- Storage: HashiCorp Vault
- ACME Client: Lego library v4.25.0
- Metrics: Prometheus
- Web Framework: Go standard library
π Quick Start
Server Installation
# Download and configure
./acme-manager-server \
-config-path=config.yml \
-ring.instance-id=node1 \
-ring.join-members=node2:7946,node3:7946
Client Installation
# Download and run
./acme-manager-client \
-client.config-path=client-config.yml \
-client.manager-url=https://acme-manager.example.com \
-client.manager-token=your-token
π Configuration Examples
Server Configuration
common:
api_key_hash: "your-sha256-hash"
rootpath_account: /var/lib/acme-manager/accounts
rootpath_certificate: /var/lib/acme-manager/certificates
http_client_retry_max: 3
http_client_retry_wait_min: 1
http_client_retry_wait_max: 10
plugins:
- name: custom-dns-provider
path: /etc/acme-manager/plugins/dns-provider.so
checksum: "sha256:abc123..."
timeout: 30
issuer:
letsencrypt:
ca_dir_url: https://acme-v02.api.letsencrypt.org/directory
eab: false
certificate_timeout: 300
overall_request_limit: 20
storage:
vault:
url: "https://vault.example.com"
role_id: "your-role-id"
secret_id: "your-secret-id"
secret_engine: "secret"
Client Configuration
common:
certificate_deploy: true
certificate_dir: /etc/ssl/certificates
cmd_enabled: true
post_cmd_run: "systemctl reload nginx"
certificate:
- domain: "example.com"
issuer: "letsencrypt"
dns_challenge: "cloudflare"
renewal_days: "30"
π Certificate Lifecycle
- Creation: Submit certificate request via API or config
- Validation: Complete DNS or HTTP ACME challenge
- Storage: Certificate stored in Vault
- Deployment: Clients fetch and deploy locally
- Renewal: Automatic renewal 20-30 days before expiration
- Cleanup: Old versions removed after grace period
π API Endpoints
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/api/v1/certificate |
POST | Bearer | Create certificate |
/api/v1/certificate |
PUT | Bearer | Update certificate |
/api/v1/certificate/{issuer}/{domain} |
GET | Bearer | Get certificate |
/api/v1/certificate/{issuer}/{domain} |
DELETE | Bearer | Delete certificate |
/api/v1/token |
POST | API Key | Create token |
/metrics |
GET | None | Prometheus metrics |
/swagger |
GET | None | API documentation |
π§ Supported Providers
Certificate Authorities
- Let's Encrypt (Staging & Production)
- Sectigo
- Any ACME-compatible CA
DNS Providers (100+)
- Cloudflare
- Route53 (AWS)
- Google Cloud DNS
- NS1
- OVH, GoDaddy, Gandi, and many more
π Use Cases
- Web Servers: Nginx, Apache, HAProxy
- API Gateways: Kong, Traefik, Envoy
- Microservices: Service-to-service TLS
- IoT Devices: Certificate provisioning at scale
π€ Contributing
See the main repository for contribution guidelines.
π License
See the main repository for license information.
π Resources
π Support
- Issues: Report issues on GitHub
- Documentation: This documentation site
- Community: See main repository for community links
Version: 0.6.1+
Last Updated: October 2025
Documentation
ΒΆ
Overview ΒΆ
Package docs Code generated by swaggo/swag. DO NOT EDIT
Index ΒΆ
Constants ΒΆ
This section is empty.
Variables ΒΆ
View Source
var SwaggerInfo = &swag.Spec{ Version: "1.0", Host: "", BasePath: "/api/v1", Schemes: []string{}, Title: "acme manager server", Description: "ACME Manager Server - Manages ACME certificates in cluster mode", InfoInstanceName: "swagger", SwaggerTemplate: docTemplate, LeftDelim: "{{", RightDelim: "}}", }
SwaggerInfo holds exported Swagger Info so clients can modify it
Functions ΒΆ
This section is empty.
Types ΒΆ
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.