A tiny script to issue and renew TLS certs from Let's Encrypt via DNS challenge
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 39 commits ahead, 1 commit behind diafygi:master.
nuxi Add hidden cli args to match upstream
* Allow --disable-check as an alias for --skip
* Allow --directory-url as an alias for --ca
Latest commit 87ac173 Jun 14, 2018



This is a tiny, auditable script that you can throw on your server to issue and renew Let's Encrypt certificates. Since it has to be run on your server and have access to your private Let's Encrypt account key, I tried to make it as tiny as possible (currently less than 300 lines). The only prerequisites are python and openssl.


This is a fork of the original acme-tiny converted to use dns-01 instead of http-01 for verification.


If this script is useful to you, please donate to the EFF. I don't work there, but they do fantastic work.


How to use this script

If you already have a Let's Encrypt issued certificate and just want to renew, you should only have to do Steps 3 and 4.

Step 1: Create a Let's Encrypt account private key (if you haven't already)

You must have a public key registered with Let's Encrypt and sign your requests with the corresponding private key. If you don't understand what I just said, this script likely isn't for you! Please use the official Let's Encrypt client. To accomplish this you need to initially create a key, that can be used by acme-tiny, to register an account for you and sign all following requests.

openssl genrsa 4096 > account.key

Use existing Let's Encrypt key

Alternatively you can convert your key, previously generated by the original Let's Encrypt client.

The private account key from the Let's Encrypt client is saved in the JWK format. acme-tiny is using the PEM key format. To convert the key, you can use the tool conversion script by JonLundy:

# Download the script
wget -O conv.py https://gist.githubusercontent.com/JonLundy/f25c99ee0770e19dc595/raw/6035c1c8938fae85810de6aad1ecf6e2db663e26/conv.py

# Copy your private key to your working directory
cp /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/<id>/private_key.json private_key.json

# Create a DER encoded private key
openssl asn1parse -noout -out private_key.der -genconf <(python conv.py private_key.json)

# Convert to PEM
openssl rsa -in private_key.der -inform der > account.key

Step 2: Create a certificate signing request (CSR) for your domains.

The ACME protocol (what Let's Encrypt uses) requires a CSR file to be submitted to it, even for renewals. You can use the same CSR for multiple renewals. NOTE: you can't use your account private key as your domain private key!

# Generate a domain private key (if you haven't already)
openssl genrsa 2048 > domain.key
# For a single domain
openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.com" > domain.csr
# For multiple domains (use this one if you want both www.yoursite.com and yoursite.com)
# note: openssl makes adding SANs painful....
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

Step 3: Get a signed certificate!

Now that you have setup your server and generated all the needed files, run this script on your server with the permissions needed to write to the above folder and read your private account key and CSR.

# Run the script on your server
python acme_tiny.py --account-key ./account.key --csr ./domain.csr > ./signed_chain.crt

The script will output the necessary DNS records and wait for you to confirm that you've updated your DNS records before continuing to validation. The script will verify that the DNS records are updated before asking LE to verify them. If the script does not have access to your DNS server for some reason you can pass --skip in order to skip that check

Step 4: Install the certificate

The signed https certificate chain that is output by this script can be used along with your private key to run an https server. You need to include them in the https settings in your web server's configuration.

The tool will output your server certificate followed by the LE intermediate certificatte. Some programs take them together other programs take them in a combined file.


This project has a very, very limited scope and codebase. I'm happy to receive bug reports and pull requests, but please don't add any new features. This script must stay under 300 lines of code to ensure it can be easily audited by anyone who wants to run it.

If you want to add features for your own setup to make things easier for you, please do! It's open source, so feel free to fork it and modify as necessary.