AcmeHelper is the simplest and easiest way to get started and automate wildcard certificates from LetsEncrypt and other ACME compliant issuers.
We built it for ourselves after we couldn't find an easy, safe, reliable and fully automated way to answer DNS challenges.
In order to obtain a wildcard certificate using ACME the certificate issuer (letsencrypt being the most common one) verifies using a series of challenges that the certificate requester has control (owns) the domain in question.
By delegating only the _acme-challenge record to us you delegate the responsibility of answering these challenges without allowing access to other domain records. This means that any script or software you might use to automate the certificate renewal process cannot access the rest of your DNS entries and either malicious or by mistake take down unrelated parts of your domain such as DNS servers, email, web addresses and so on.
We will perform a quick validation of the CNAME record setup and add the domain to the list of your domains we're handling acme challenges for.
Since the whole point of using our service is automation - otherwise you could answer manually the challenges by altering your DNS entry every single time you renew your certificates - is time to set this automated process.
By using our automatically generated script all your domains certificate generation and renewal will be working out of the box.
The certificates will be generated and stored on your server(s) using open source clients. We do not have access nor handle in any way the actual certificates and keys.
Note: 'one domain' means a domain associated with a wildcard certificate, ie: *.example.com and *.dev.example.com are two different domains.
A wildcard certificate is a certificate that secures a domain and all direct subdomains. For instance *.example.com will secure example.com, www.example.com, test.example.com, whatever.example.com and so on. It will not be accepted for www.test.example.com as is not a direct subdomain.
If you have multiple subdomains that are either outside of your direct servers control - a common scenario is using a content delivery network with a vanity domain name like cdn.example.com - or spin up multiple subdomains, like we do as part of web development process.
Registrar api allows access to full domain control and more than once ourselves ended up with a broken zone. Is much more secure and less error-prone to delegate just the acme challenge entry, if something goes wrong the challenge will fail while the rest of the domain remains untouched.
If you can register a domain and point to a web server ip address you know more than enough to use our service. Adding a CNAME record is a straigh forward process and once completed we'll take it from there.
Of course we do. In fact AcmeHelper was built initially for internal use. We couldn't find a solution that would satisfy our concerns regarding the safety of DNS altering operations as well as automating everything with a "set and forget" solution
It used to be very expensive and out of reach for small companies and individuals. Nowdays letsencrypt offers free wildcard certificates but the only accepted challenge mode is DNS based. That's how AcmeHelper was born, as a solution that will work with letsencrypt
You can but we really don't see the point. Using http challenges is much more suitable for single hosts certificates.
We only offer annual plans for now. If there is enough demand we will add month to month subscriptions but it will be at higher rates, the current prices hardly cover the payment processor fee as a monthly recurring payment.
AcmeHelper servers will respond to dns challenges. The script running on your server will instruct our dns server what to respond and we will do just that using a DNS records allocated to your domain.
Absolutely not. You can set the same challenge records directly on your DNS server (or DNS control panel if using your registrar/hosting provider DNS servers). We just made this a lot easier, less error prone and automated.
The cron script is meant to be run daily. With the default settings when the certificate has 30 days or less validity a new one is automatically requested.
With the default settings the renewal process starts at 30 days mark. We feel that a whole month is more than enough time for the network connection, our servers or any other kind of error to be solved.
We provide a simple rest api call to set the DNS records. You can use whatever client system you want with our services as long as is able to make a simple POST request with an authorization header.