Guide
Acmebot automates ACME SSL/TLS certificate issuance and renewal for Microsoft Azure. It runs as an Azure Functions app, validates domain ownership with DNS-01 challenges, and stores issued certificates in Azure Key Vault.
Use this guide when you want to deploy Acmebot, connect a DNS provider, issue certificates from the dashboard, and operate renewals safely over time.
What Acmebot Does
- Registers and maintains an ACME account for the configured certificate authority.
- Creates ACME orders for zone apex, wildcard, and multi-domain certificates.
- Creates and removes DNS-01 TXT records through one or more configured DNS providers.
- Creates certificate requests in Azure Key Vault and merges the issued certificate chain back into the same Key Vault certificate.
- Tracks managed certificates with Key Vault tags so scheduled renewals can find them later.
- Sends optional webhook notifications for successful and failed certificate operations.
Runtime Workflow
- A user or scheduled renewal starts a certificate operation.
- Acmebot finds the DNS zone that matches each requested DNS name.
- Acmebot creates an ACME order and prepares DNS-01 challenges.
- The configured DNS provider receives the
_acme-challengeTXT records. - Acmebot waits for provider-specific propagation and verifies the TXT records through DNS queries.
- The ACME order is finalized with a CSR generated by Key Vault.
- The issued certificate is merged into Key Vault and tagged with Acmebot metadata.
Core Concepts
Key Vault
Key Vault is the certificate store. Acmebot creates Key Vault certificate operations, lets Key Vault generate or reuse the private key, and then merges the ACME-issued certificate chain into the pending operation.
DNS Providers
Acmebot uses DNS-01 validation only. This allows wildcard certificates and works even when the protected application is not publicly reachable. You must configure at least one DNS provider before the Function App can start successfully.
Certificate Authorities
Acmebot supports ACME v2 directory endpoints. The deployment form includes common endpoints such as Let's Encrypt, ZeroSSL, Google Trust Services, SSL.com, Entrust, and GlobalSign, and it also accepts a custom ACME directory URL.
Dashboard
The dashboard is a same-origin web app served by the Function App. It calls /api/* endpoints to list certificates, list DNS zones, issue certificates, renew certificates, and revoke certificates.
Common Paths
| Goal | Start here |
|---|---|
| Deploy a new environment | Getting Started |
| Understand portal template inputs | Deployment |
| Issue, renew, or revoke a certificate | Dashboard |
| Configure Azure DNS, Cloudflare, Route 53, or another DNS provider | DNS Providers |
| Use EAB or a non-Let's Encrypt CA | Certificate Authorities |
| Monitor renewals and troubleshoot failures | Operations |
| Connect renewed certificates to Azure services | Azure Service Integration |
| Diagnose failed issuance, renewal, or service sync | Troubleshooting |
| Answer common deployment and operations questions | FAQ |
| Review every app setting | Configuration Reference |
| Integrate with the HTTP endpoints | HTTP API Reference |
Support Matrix
Azure Services
Certificates are stored in Key Vault and can be used by Azure services that support Key Vault certificates or imported PFX certificates, including:
- Azure App Service, Azure Functions, and Azure Web App for Containers.
- Azure Container Apps, including environments with a custom DNS suffix.
- Azure Front Door Standard and Premium.
- Azure Application Gateway v2.
- Azure API Management.
- Azure SignalR Service Premium.
- Virtual Machines and other workloads that can retrieve certificates from Key Vault.
DNS Providers
Built-in DNS providers include Azure DNS, Azure Private DNS, Cloudflare, Amazon Route 53, Google Cloud DNS, GoDaddy, Akamai Edge DNS, DNS Made Easy, Gandi LiveDNS, IONOS DNS, OVH, PowerDNS, Regfish, TransIP DNS, UnitedDomains, and a custom HTTP provider.
Before You Deploy
Prepare these values:
- The Azure subscription and resource group where Acmebot will run.
- The Key Vault to store certificates, or permission to create a new one.
- The DNS provider credentials or Azure managed identity permissions for your zones.
- The ACME directory endpoint and contact email address.
- An authentication plan for the dashboard, typically App Service Authentication with Microsoft Entra ID.
Then continue with Getting Started.
After the first certificate is issued, use Azure Service Integration to connect Key Vault certificates to App Service, Front Door, Application Gateway, API Management, Container Apps, SignalR Service, or VM workloads.