🔐 Issues certificates from any ACME provider, such as Let's Encrypt
⏰ Automatically renews certificates before they expire
🔌 Stores all data inside Vault and thus decouples from clients

Rolling out TLS encryption shouldn't need to be pitched anymore (even for internal services). Using the DNS01 ACME challenge is proven and allows issuing certs non-public routable machines. On the other hand, you need to have access to either highly-privileged/narrowly-scoped credentials of your DNS provider to solve these DNS01 challenges.

In the case of Route53, if you don't want to end up creating dozens of hosted zones, one for each of your subdomains, you're at risk of leaking highly-privileged IAM credentials.

Acmevault requests short-lived IAM credentials for Route53 and uses them to perform DNS01 challenges for the configured domains and writes the issued X509 certificates to Hashicorp Vault's K/V secret store - only readable by the appropriate AppRole.

Its client mode reads the respective written certificates from Vault and installs them to a preconfigured location, optionally invoking post-installation hooks.

$ git clone https://github.com/soerenschneider/acmevault
$ cd acmevault
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/acmevault -conf /config/server.json

Download a prebuilt binary from the releases section for your system.

As a prerequisite, you need to have Golang SDK installed. Then you can install acmevault from source by invoking:

$ go install github.com/soerenschneider/acmevault@latest

See the configuration section for examples and configuration reference.

See the metrics section for an overview of exposed metrics.

See the full changelog here