add acme.sh

[ados8]

Discovered your app on the Unraid store. The features are great with many people after Crowdsec options. One thing I was hoping for was manual DNS/ACME challenges. Other proxies offer the option to manually complete a DNS challenge over HTTP with TXT records added to domain. This is the only option for people that have a DNS provider without API support. Sadly NGINX has never added this function and only works with API. I currently use a certificates.sh script to make the 3 months certificate renewals myself. However this is complex for the average person so I think adding this feature would help many.

What I can provide to help if implemented. The acme.sh script requires 2 command strings to be sent, I have some examples below. In this example the requests are for wildcards and we can assume that otherwise just use normal Letsencrypt.

Prep Before acme.sh can be used it must be installed. NPM docker images don't contain the acme.sh component so that I had to install manually in the docker. curl https://get.acme.sh | sh Once installed it's not registered and must be done or it won't run. This is done through the register command /path/acme.sh --register-account -m email@domain.com

Stage 1 Requesting the domain and setting manual mode. Note I'm using variables so take that into consideration. $ACME_LOCATION --issue --dns -d $DOMAIN -d "*.$DOMAIN" --yes-I-know-dns-manual-mode-enough-go-ahead-please --home $CERTS --log $LOG_PATH $ACME_LOCATION is the path to the acme.sh script. $DOMAIN is the domain for renew i.e. domain.com "*.$DOMAIN" is setting the wildcard, you must have both and wildcard second. This is due to the folder it makes which can't be adjusted and can't have a * or the folder isn't created and it fails. --yes-I-know-dns-manual-mode-enough-go-ahead-please tells the acme.sh script manual mode i.e. TXT records. --home $CERTS is the location you want the acme.sh setting files and certificates to be stored. For the docker I would have it go into the appdata folder somewhere. --log $LOG_PATH is a location for the acme.sh log output for debugging any issues.

Now this is the tricky part, stage one will run and show 2 TXT records to be added to _acme-challenge.domain.com. If using a script you need to pause and wait for the user to add them or it will continue and fail not finding the records. If it doesn't find them on next run it should present the same TXT values if the --home is set and it sees it's past settings. The only way I can think for this to work is if NPM gets feedback from the script and passes that to the user. This could be presented to them in text fields and they copy the 2 fields and put them in their domain. They could then click a button telling NPM to proceed and run stage 2.

Stage 2 When the renewal happens. Basically no action needed, the acme.sh script completes if no issues. $ACME_LOCATION --renew -d $DOMAIN --yes-I-know-dns-manual-mode-enough-go-ahead-please --home $CERTS

The script will have put the certificate at /home location/domain.com/ These will be in .cer and .key form which NPM supports importing.

[Zoey2936]

I will try to move from certbot to acme.sh for new certificates in the future. I will then also allow manual dns. But I'm not sure how good manual dns will work, but let's see then

[Zoey2936]

see #731