Live: https://acme.htools.work/
This is a fork of dvtirol/serles-acme, modified to issue certificates for use with DANE (on Handshake domains).
- Use with any ACME client (certbot, etc.)
- Generate certificates for Handshake domains
- New CA keys are generated (and destroyed) while signing every certificate
Requests are flexible and options are passed by appending keywords to the email address:
+email- opt into receiving emails with TLSA records after every cert issue.+nohip17- opt out of HIP-17 (Stateless DANE) extensions+longttl- request for long-lived certificates (1 year) - only applies if no HIP-17
Options can be combined. Example:
myvalidaddress+email+longttl+nohip17@gmail.com- get emails and long-lived certs without HIP-17 extensions
Use an ACME client like you would for any regular website, along with a new arg --server:
sudo certbot --nginx -d your_tld.or_sld --server https://acme.htools.work/directory --reuse-keyCheck out the original project this is forked from: dvtirol/serles-acme
Clone the project:
git clone https://github.com/htools-org/htools-dane-ca
cd htools-dane-caSet up a virtual env with venv or pyenv and activate it.
Then install dependencies:
pip install serles-acmeCreate a config file from the example:
cp config.ini.example config.ini
# and then fill in values as needed.Finally, tart the server with:
CONFIG=./config.ini python -m serlesAny client can connect to it now:
# either edit values in this script, or run certbot as usual
./examples-clients/certbot.shFor any support/help, feel free to join Handshake's Telegram or Discord groups and we'll do our best to find out what's wrong.
If there's any problem with the code or have suggestions, create a new issue.
Thanks to
- @dvtirol for dvtirol/serles-acme this project is forked from (backend modularity was very useful!)
- @brandondees for the idea of using CA this way
- @buffrr for advice on certificates