Skip to content

Guide

Acmebot automates ACME SSL/TLS certificate issuance and ARI-aware renewal on Microsoft Azure. It runs as a Function App, proves domain ownership with DNS-01 challenges, and stores private keys and issued certificates in Azure Key Vault.

Use this guide to deploy Acmebot, connect DNS providers, issue certificates from the dashboard, and operate certificate-level renewals over time.

What Acmebot Does

  • Registers and maintains an ACME account for the configured certificate authority (CA).
  • Creates ACME orders for zone apex, wildcard, and multi-domain certificates.
  • Adds and removes DNS-01 TXT records through one or more configured DNS providers.
  • Requests certificates in Key Vault and merges the issued chain back into the same Key Vault certificate.
  • Tags managed certificates so each certificate can keep its own renewal state, next check time, and fallback behavior.
  • Uses ACME Renewal Information (ARI) when the CA provides it, including suggested renewal windows and Retry-After timing.
  • Sends webhook notifications for successful and failed operations when a webhook is configured.

Runtime Workflow

  1. A user or a scheduled renewal starts a certificate operation.
  2. Acmebot finds the DNS zone that matches each requested name.
  3. Acmebot creates an ACME order and prepares the DNS-01 challenges.
  4. The configured DNS provider receives the _acme-challenge TXT records.
  5. Acmebot waits for provider-specific propagation, then verifies the records by DNS query.
  6. The ACME order is finalized with a CSR generated by Key Vault.
  7. The issued certificate is merged into Key Vault and tagged with Acmebot metadata.

Core Concepts

Key Vault

Key Vault is the certificate store. Acmebot starts a Key Vault certificate operation, lets Key Vault generate or reuse the private key, and merges the ACME-issued chain into the pending operation.

DNS Providers

Acmebot uses DNS-01 validation only. This supports wildcard certificates and works even when the protected application is not publicly reachable. Configure at least one DNS provider before starting the Function App.

Certificate Authorities

Acmebot works with ACME v2 directory endpoints. The deployment form offers common endpoints such as Let's Encrypt, GlobalSign, Google Trust Services, SSL.com, and ZeroSSL, and also accepts a custom ACME directory URL.

ARI-Aware Renewal

Each managed certificate has its own renewal lifecycle. When the ACME CA provides renewal information, Acmebot follows that certificate's suggested renewal window and Retry-After timing. If renewal information is unavailable, only that certificate falls back to the configured expiry-based renewal threshold.

Dashboard

The dashboard is a same-origin web app served by the Function App. It calls the /api/* endpoints to list, issue, renew, and revoke certificates, and to list DNS zones.

Common Paths

GoalStart here
Deploy a new environmentGetting Started
Understand portal template inputsDeployment
Migrate an existing v4 deploymentMigrating from v4 to v5
Issue, renew, or revoke a certificateDashboard
Configure Azure DNS, Cloudflare, Route 53, or another DNS providerDNS Providers
Use EAB or a CA other than Let's EncryptCertificate Authorities
Monitor certificate-level renewals and troubleshoot failuresOperations
Connect renewed certificates to Azure servicesAzure Service Integration
Diagnose failed issuance, renewal, or service syncTroubleshooting
Answer common deployment and operations questionsFAQ
Get community or commercial supportSupport
Review every app settingConfiguration Reference
Integrate with the HTTP endpointsHTTP API Reference
Automate with the command lineCLI Reference

Supported Integrations

Azure Services

Certificates live in Key Vault, so Azure services that consume a Key Vault certificate or an imported PFX can use them, including:

  • Azure App Service, Azure Functions, and Web App for Containers.
  • Azure Container Apps, including environments with a custom DNS suffix.
  • Azure Front Door Standard and Premium.
  • Azure Application Gateway v2.
  • Azure API Management.
  • Azure Web PubSub Premium.
  • Azure Event Grid Namespaces.
  • Azure SignalR Service Premium.
  • Virtual Machines and other workloads that can read certificates from Key Vault.

DNS Providers

Built-in providers are Azure DNS, Azure Private DNS, Cloudflare, Amazon Route 53, Google Cloud DNS, GoDaddy, Akamai Edge DNS, DNS Made Easy, Gandi LiveDNS, IONOS DNS, OVH, PowerDNS, Regfish, TransIP DNS, UnitedDomains, and a custom HTTP provider.

Before You Deploy

Prepare these values:

  • The Azure subscription and resource group where Acmebot will run.
  • The Key Vault for storing certificates, or permission to create one.
  • DNS provider credentials, or Azure managed identity permissions for your zones.
  • The ACME directory endpoint and a contact email address.
  • A dashboard authentication plan, typically App Service Authentication with Microsoft Entra ID.

When you are ready, continue with Getting Started.

Released under the Apache License 2.0.