README.md 2.85 KB
Newer Older
1
# acme-dns-tiny
Daniel Roesler's avatar
Daniel Roesler committed
2

3 4
[![build status](https://projects.adorsaz.ch/adrien/acme-dns-tiny/badges/master/build.svg)](https://projects.adorsaz.ch/adrien/acme-dns-tiny/commits/master)
[![coverage status](https://projects.adorsaz.ch/adrien/acme-dns-tiny/badges/master/coverage.svg)](https://projects.adorsaz.ch/adrien/acme-dns-tiny/commits/master)
Daniel Roesler's avatar
Daniel Roesler committed
5

6 7
This is a tiny, auditable script that you can throw on any secure machine to
issue and renew [Let's Encrypt](https://letsencrypt.org/) certificates with DNS
8
validation.
Daniel Roesler's avatar
Daniel Roesler committed
9

10 11 12
Since it has to have access to your private ACME account key and the
rights to update the DNS records of your DNS server, this code has been designed
to be as tiny as possible (currently less than 250 lines).
Daniel Roesler's avatar
Daniel Roesler committed
13

14 15
The only prerequisites are Python 3, OpenSSL and the dnspython module (with
release before 1.14.0 (this release have a bug with dynamic DNS updates)).
16

17 18
**PLEASE READ THE SOURCE CODE! YOU MUST TRUST IT!
IT HANDLES YOUR ACCOUNT PRIVATE KEYS!**
19 20 21 22 23

Note: this script is a fork of the [acme-tiny project](https://github.com/diafygi/acme-tiny)
which uses ACME HTTP verification to create signed certificates.

## Donate
Daniel Roesler's avatar
Daniel Roesler committed
24 25 26 27 28 29 30 31

If this script is useful to you, please donate to the EFF. I don't work there,
but they do fantastic work.

[https://eff.org/donate/](https://eff.org/donate/)

## How to use this script

32
See our the [HowTo Use](howto-use) wiki page for main informations.
Daniel Roesler's avatar
Daniel Roesler committed
33

34 35 36
You may be interested by the [HowTo Setup with BIND9](howto-setup-with-bind9)
page too which show a step by step example to set up the script
with a BIND9 DNS server.
Daniel Roesler's avatar
Daniel Roesler committed
37

38 39
Note that, this script can be run on any secure machine which have access to
Internet and your public DNS server.
Daniel Roesler's avatar
Daniel Roesler committed
40 41 42 43

## Permissions

The biggest problem you'll likely come across while setting up and running this
44 45 46 47 48 49 50 51 52
script is permissions.

You want to limit access for this script to:
* Your account private key
* Your Certificate Signing Request (CSR) file (without your domain key)
* Your configuration file (which contain DNS update secret)

I'd recommend to create a user specifically to run this script and the
above files. This user should *NOT* have access to your domain key!
Daniel Roesler's avatar
Daniel Roesler committed
53 54 55

**BE SURE TO:**
* Backup your account private key (e.g. `account.key`)
56 57 58
* Don't allow this script to be able to read your *domain* private key!
* Don't allow this script to be run as *root*!
* Understand and configure correctly your cron job to do all your needs !
59
(write it with your preferred language to manage your server)
Daniel Roesler's avatar
Daniel Roesler committed
60 61 62

## Feedback/Contributing

63 64
This project has a very, very limited scope and codebase. The project is happy
to receive bug reports and pull requests, but please don't add any new features.
65 66
This script must stay under ~250 lines of code to ensure it can be easily
audited by anyone who wants to run it.
Daniel Roesler's avatar
Daniel Roesler committed
67 68 69

If you want to add features for your own setup to make things easier for you,
please do! It's open source, so feel free to fork it and modify as necessary.
70