After trying out different ACME clients, like dehydrated or getssl, I always came back to certbot. But now, I have finally switched to acme.sh, which, as a simple shell script, is compatible with my KISS ideology. It is used by some big projects like FreeBSD and Proxmox, for their SSL needs.
Lots of features
Out of the box, you get support for over 70 DNS hooks (from cloud providers like Amazon to actual software like PowerDNS). Then there are deploy hooks for software like HAProxy and even CPanel. Possibilites are endless with little effort thanks to the great documentation.
Oh and of course, it has webroot mode as well. But as with every other ACMEv2 client, it can not be used to request wildcard certificates, which I need.
No extra dependencies
While the web server part of the script needs some, you can simply download
acme.sh script and use it right away. certbot would install a ton of
python packages, possibly creating conflicts on a system where python is used
for running production apps.
What’s more, this software can run on anything that has a shell. It is written as POSIX compliant shell script and so are its DNS hooks and deploy scripts. No bash to be seen. This is an advantage on systems like Alpine Linux and non-Linux systems.
Does not ask for root access
I am not saying that certbot or dehydrated can not be used without root
access. But by default, they ask for it. This is understandable if you want
them to start a web server on privileged ports or reconfigure your current web
server, but not if you simply want a tool for the job - getting the CSR in
place and then contacting certificate authority’s servers to verify it and
download the certificate. None of this requires root access, especially when
using DNS challenges or having a proxied
.well-known location set up
on the web server prior to the verification.
A lot of users contributed to this project, that is why it has so many features. It already implemented ACMEv2 and ECC certificates. They also set up continous integration to make accepting new contributions fast and easy.
My use case
I use acme.sh with dns01 challenge. However, NSD nameserver, which I use, does not support dynamic DNS updates. Therefore I have written a little script, which appends the required challenges to the zone file on the disk and then reloads the NSD daemon. While certbot can most certailny do this too, this is much more elegant and flexible in case I want to switch to a different technology in the future.