ACME Proxy

Quickstart

Mon, 01 Jan 0001 00:00:00 +0000

Quickstart#

This is the fastest path to a running acme-proxy. It uses a one-line installer script that sets up the service with sane defaults, requires only five config fields, and is ready to issue certificates in under five minutes.

For production deployments with custom install paths, build-from-source, or Docker, see install.md.

Step 1 — Install#

curl -fsSL https://raw.githubusercontent.com/esnet/acme-proxy/main/install.sh | sudo sh

The script:

Installs the step-ca binary to /opt/acme-proxy/
Writes a ca.json config template to /opt/acme-proxy/ca.json
Creates a dedicated acme-proxy service user
Registers and enables an acme-proxy.service systemd unit

The service is enabled but not started — configure ca.json first.

Install

Mon, 01 Jan 0001 00:00:00 +0000

Install#

Three methods are available. The install script is recommended for most deployments.

Method	Best for
Install script	Standard Linux servers, systemd environments
Pre-built binary	Environments where curl-pipe-to-shell is prohibited
Build from source	Development, or architectures not covered by releases
Docker	Container-based deployments

Install Script (Recommended)#

The install script downloads the appropriate release binary, creates a dedicated service user, installs a ca.json template, and registers a hardened systemd service unit.

Troubleshoot

Mon, 01 Jan 0001 00:00:00 +0000

User Guide

Mon, 01 Jan 0001 00:00:00 +0000

User Guide#

This guide covers how to obtain and automatically renew TLS certificates from acme-proxy using three common ACME clients: acme.sh, Certbot, and Lego.

ACME directory URL:

https://acme-proxy.example.com/acme/acme/directory

Replace acme-proxy.example.com with your organization’s actual acme-proxy hostname.

Prerequisites#

The ACME client must be installed and an account registered with acme-proxy before running any commands in this guide. See admin.md for installation instructions and systemd renewal timer setup.
Port 80 must be reachable from the acme-proxy server (used for HTTP-01 challenge validation).
Your domain’s DNS must resolve to the host where the ACME client runs.
Replace the following placeholders throughout this guide:
- acme-proxy.example.com — your acme-proxy hostname
- myserver.example.com — the domain you want a certificate for
- admin@example.com — your contact email

1. NGINX on Linux VM / Baremetal#

1a. acme.sh#

Register and issue a certificate (single domain):

ACME Clients

Mon, 01 Jan 0001 00:00:00 +0000

ACME Clients#

This guide covers installation and system-level configuration of ACME clients for use with acme-proxy. It is intended for system administrators deploying certificate automation on behalf of end users.

For certificate issuance commands and per-scenario usage, see user.md.

Table of Contents#

Installing ACME Clients
Account Registration
Configuring Auto-Renewal via Systemd
Log Management

Installing ACME Clients#

Certbot#

Note: Certbot’s actively maintained distribution is via Snap. The .deb packages available in apt repositories are no longer maintained by the Certbot project and ship outdated versions.

Port Requirements

Mon, 01 Jan 0001 00:00:00 +0000