ACME protocol client for SSL certificates
CoffeeScript JavaScript
Latest commit 574bd4a Dec 23, 2015 themadcreator Update version to 0.2.4
Failed to load latest commit information.
certs Update readme and slightly change logging output. Dec 22, 2015
LICENSE Update readme and slightly change logging output. Dec 22, 2015
package.json Update version to 0.2.4 Dec 22, 2015


Automatic Certificate Management Environment (ACME) protocol client for acquiring free SSL certificates. is a gratis, open source community sponsored service that implements the ACME protocol. This script will allow you to create a signed SSL certificate, suitable to secure your server with HTTPS, using or any other certificate authority that supports the ACME protocol.


  npm install -g acme-express


  Usage: acme-express --account account.pem --csr csr.der --domain ${DOMAIN} --ca letsencrypt-beta


    -h, --help                                           output usage information
    --account <account.pem>                              Account private key PEM file
    --csr <csr.der>                                      Certificate Signing Request file in DER encoding
    --dom <domain>                                       The domain for which we are requesting a certificate. e.g. ""
    --ca <URL|"letsencrypt-beta"|"letsencrypt-staging">  Certificate authority URL running ACME protocol. Default "letsencrypt-staging"
    --agreement <URL|"letsencrypt-1.0.1">                The certificate agreement URL. Default "letsencrypt-1.0.1"
    --log <debug|info|warn|error>                        Set the log level (logs always use STDERR). Default "info"
    --cross-signed                                       Print's cross-signed x1 cert to STDOUT

How to Use

  1. Register a domain and point your DNS at your server.
  2. From that server, use this script to verify that you control the domain and acquire a signed certficate.

Sign a Cert

  # Set your domain

  # Create domain key and DER encoded Certificate Signing request
  openssl genrsa 4096 > domain.pem
  openssl req -new -sha256 -key domain.pem -subj "/CN=${DOMAIN}" -outform DER > csr.der

  # Create account key and get to sign your cert
  openssl genrsa 4096 > account.pem
  sudo acme-express --account account.pem --csr csr.der --dom "${DOMAIN}" --ca letsencrypt-beta > ${DOMAIN}.pem

  # (Optional) Examine your new certificate
  openssl x509 -in ${DOMAIN}.pem -text

Why Sudo?

To verify ownership of the domain, we use the simple HTTP challenge/response method. This script will briefly host a Node.js HTTP server on port 80 (which requires admin access). The challenge token is served at the well-defined challenge/response URL so that the certificate authority can request it.

See the "challengeResponse" method in src/

Create an HTTPS Server

Here is an example Node.js express server using a certificate produced by this script:

  let fs      = require('fs');
  let http    = require('http');
  let https   = require('https');
  let express = require('express');
  let app     = express();
  let domain  = '';

  // Load the HTTPS credentials
  let credentials = {
    key  : fs.readFileSync('domain.pem'),
    cert : fs.readFileSync(domain + '.pem'),

    // If you want to get an 'A' on your ssllabs report card, you need to
    // include the cross-signed cert from Download it
    // directly from at the following URL:
    ca   : [fs.readFileSync('lets-encrypt-x1-cross-signed.pem')]

  // Create an HTTPS server with your express app
  https.createServer(credentials, app).listen(443, function() {
    console.log('Listening on HTTPS');

  // (Optional) Create a simple server to redirect all HTTP traffic to HTTPS
  http.createServer(function (req, res) {
    let code = (req.method === 'POST') ? 307 : 302;
    res.writeHead(code, {'Location' : 'https://' + domain + req.url});
  }).listen(80, function() {
    console.log('Redirecting HTTP to HTTPS');