Acmebot issues and renews free certificates from Let's Encrypt and other ACME CAs — DNS-01 validation, wildcard support, ARI-aware renewal scheduling, and Azure Key Vault private key storage.
Reduce expiry risk, retire one-off renewal scripts, and keep certificate work inside Azure-native security and monitoring.
Key Vault generates or reuses the private key, and Acmebot merges the ACME-issued chain back into the same certificate.
Each managed certificate keeps its own renewal state, next check time, CA-guided timing when available, and fallback behavior.
Use the dashboard for daily work, the HTTP API for integrations, and the CLI for repeatable automation.
Cover zone apex, wildcard, and multi-SAN certificates across multiple DNS zones and providers from one deployment.
Send operation results to Slack, Microsoft Teams, Logic Apps, Power Automate, or your own webhook endpoint.
Start with Let's Encrypt, or use GlobalSign, Google Trust Services, SSL.com, ZeroSSL, or a custom ACME v2 endpoint.
v5 focuses on making adoption safer for existing deployments and easier to operate after the first certificate is issued.
Migrate from v4 while keeping existing Key Vault certificates, DNS provider settings, managed identity, and monitoring resources.
Issue, renew, revoke, and track operations through the same model whether you use the dashboard, HTTP API, CLI, or scheduled renewal.
Protect the dashboard with authentication and app roles, scope Azure access with managed identity, and monitor with telemetry and webhooks.
Acmebot owns issuance and renewal; each Azure service consumes the current Key Vault certificate through its supported pattern.
Use the DNS provider you already run, or connect Acmebot to your own DNS automation API.
Need another provider? The Custom DNS provider can connect Acmebot to your own DNS automation API.
Use a verified ACME v2 endpoint, choose a CA with EAB, or point Acmebot at your own ACME directory URL.
Common default for public certificates. No external account binding credentials are required.
Commercial CA option for automated certificate issuance through ACME.
Google public CA endpoint for ACME-issued certificates.
Commercial CA endpoint for 90-day certificates through ACME.
ACME CA option for teams that already use ZeroSSL accounts.
Start with the Azure Public template, then connect DNS permissions and dashboard authentication for your environment.
Provision the Function App, storage, monitoring resources, application settings, and optional Key Vault for a new Acmebot environment.
Also available from the Terraform Registry
A small amount of Azure setup gives your team an automated certificate path it can keep using.
Deploy the v5 template and choose the ACME endpoint, managed identity, Key Vault, and monitoring settings.
Grant the selected identity or provider credential permission to create and delete DNS-01 TXT records.
Use the dashboard to issue a certificate, confirm the Key Vault version, and let scheduled renewals take over.
Thank you to the organizations and individuals who support Acmebot development.
Interested in supporting the project?
Become a SponsorApache License 2.0 — open source and free to use.