acmeserver ==== Runs a daemon to manage a set of SSL certificates using the ACME protocol. There are many similar tools, why another one? Well we need a few unique features: * custom output code for certificates and private keys, so we can write them to [replds](https://git.autistici.org/ai3/replds) and have them replicated to all front-ends; * support for our DNS setup for *dns-01* challenges, by sending RFC 2136 updates to all DNS servers in parallel. For the rest it's a fairly common ACME automation tool, it supports the *http-01* and *dns-01* challenges (no *tls-sni-01* because the tool is meant to be run behind a HTTPS proxy so it can't directly control the serving certificates). Since this is a particularly critical piece of software, a few extra cautions are necessary in its development: * do not implement any ACME-specific code but use a well-maintained library instead (like [golang.org/x/crypto/acme](https://golang.org/x/crypto/acme)) * try to be robust against ACME high-level protocol changes by keeping this tool replaceable with *certbot* and a bunch of shell scripts. In particular we can do this by: * keeping a directory structure for the output that's compatible with certbot * having a way to independently push content to replds (which we do, by way of the *replds* command itself) So the advantage of *acmeserver* becomes just the integration between the various components in a single package / binary (and monitoring, etc).