After trying out different ACME clients, like dehydrated or getssl, I always came back to certbot. But now, I have finally switched to acme.sh, which, as a simple shell script, is compatible with my KISS ideology. It is used by some big projects like FreeBSD and Proxmox, for their SSL needs.

Lots of features

Out of the box, you get support for over 70 DNS hooks (from cloud providers like Amazon to actual software like PowerDNS). Then there are deploy hooks for software like HAProxy and even CPanel. Possibilites are endless with little effort thanks to the great documentation.

Oh and of course, it has webroot mode as well. But as with every other ACMEv2 client, it can not be used to request wildcard certificates, which I need.

No extra dependencies

While the web server part of the script needs some, you can simply download this acme.sh script and use it right away. certbot would install a ton of python packages, possibly creating conflicts on a system where python is used for running production apps.

What’s more, this software can run on anything that has a shell. It is written as POSIX compliant shell script and so are its DNS hooks and deploy scripts. No bash to be seen. This is an advantage on systems like Alpine Linux and non-Linux systems.

Does not ask for root access

I am not saying that certbot or dehydrated can not be used without root access. But by default, they ask for it. This is understandable if you want them to start a web server on privileged ports or reconfigure your current web server, but not if you simply want a tool for the job - getting the CSR in place and then contacting certificate authority’s servers to verify it and download the certificate. None of this requires root access, especially when using DNS challenges or having a proxied .well-known location set up on the web server prior to the verification.

Rapid development

A lot of users contributed to this project, that is why it has so many features. It already implemented ACMEv2 and ECC certificates. They also set up continous integration to make accepting new contributions fast and easy.

My use case

I use acme.sh with dns01 challenge. However, NSD nameserver, which I use, does not support dynamic DNS updates. Therefore I have written a little script, which appends the required challenges to the zone file on the disk and then reloads the NSD daemon. While certbot can most certailny do this too, this is much more elegant and flexible in case I want to switch to a different technology in the future.