Guide
Acmebot automates ACME SSL/TLS certificate issuance and ARI-aware renewal on Microsoft Azure. It runs as a Function App, proves domain ownership with DNS-01 challenges, and stores private keys and issued certificates in Azure Key Vault.
Use this guide to deploy Acmebot, connect DNS providers, issue certificates from the dashboard, and operate certificate-level renewals over time.
What Acmebot Does
- Registers and maintains an ACME account for the configured certificate authority (CA).
- Creates ACME orders for zone apex, wildcard, and multi-domain certificates.
- Adds and removes DNS-01 TXT records through one or more configured DNS providers.
- Requests certificates in Key Vault and merges the issued chain back into the same Key Vault certificate.
- Tags managed certificates so each certificate can keep its own renewal state, next check time, and fallback behavior.
- Uses ACME Renewal Information (ARI) when the CA provides it, including suggested renewal windows and
Retry-Aftertiming. - Sends webhook notifications for successful and failed operations when a webhook is configured.
Runtime Workflow
- A user or a scheduled renewal starts a certificate operation.
- Acmebot finds the DNS zone that matches each requested name.
- Acmebot creates an ACME order and prepares the DNS-01 challenges.
- The configured DNS provider receives the
_acme-challengeTXT records. - Acmebot waits for provider-specific propagation, then verifies the records by DNS query.
- The ACME order is finalized with a CSR generated by Key Vault.
- The issued certificate is merged into Key Vault and tagged with Acmebot metadata.
Core Concepts
Key Vault
Key Vault is the certificate store. Acmebot starts a Key Vault certificate operation, lets Key Vault generate or reuse the private key, and merges the ACME-issued chain into the pending operation.
DNS Providers
Acmebot uses DNS-01 validation only. This supports wildcard certificates and works even when the protected application is not publicly reachable. Configure at least one DNS provider before starting the Function App.
Certificate Authorities
Acmebot works with ACME v2 directory endpoints. The deployment form offers common endpoints such as Let's Encrypt, GlobalSign, Google Trust Services, SSL.com, and ZeroSSL, and also accepts a custom ACME directory URL.
ARI-Aware Renewal
Each managed certificate has its own renewal lifecycle. When the ACME CA provides renewal information, Acmebot follows that certificate's suggested renewal window and Retry-After timing. If renewal information is unavailable, only that certificate falls back to the configured expiry-based renewal threshold.
Dashboard
The dashboard is a same-origin web app served by the Function App. It calls the /api/* endpoints to list, issue, renew, and revoke certificates, and to list DNS zones.
Common Paths
| Goal | Start here |
|---|---|
| Deploy a new environment | Getting Started |
| Understand portal template inputs | Deployment |
| Migrate an existing v4 deployment | Migrating from v4 to v5 |
| Issue, renew, or revoke a certificate | Dashboard |
| Configure Azure DNS, Cloudflare, Route 53, or another DNS provider | DNS Providers |
| Use EAB or a CA other than Let's Encrypt | Certificate Authorities |
| Monitor certificate-level renewals and troubleshoot failures | Operations |
| Connect renewed certificates to Azure services | Azure Service Integration |
| Diagnose failed issuance, renewal, or service sync | Troubleshooting |
| Answer common deployment and operations questions | FAQ |
| Get community or commercial support | Support |
| Review every app setting | Configuration Reference |
| Integrate with the HTTP endpoints | HTTP API Reference |
| Automate with the command line | CLI Reference |
Supported Integrations
Azure Services
Certificates live in Key Vault, so Azure services that consume a Key Vault certificate or an imported PFX can use them, including:
- Azure App Service, Azure Functions, and Web App for Containers.
- Azure Container Apps, including environments with a custom DNS suffix.
- Azure Front Door Standard and Premium.
- Azure Application Gateway v2.
- Azure API Management.
- Azure Web PubSub Premium.
- Azure Event Grid Namespaces.
- Azure SignalR Service Premium.
- Virtual Machines and other workloads that can read certificates from Key Vault.
DNS Providers
Built-in providers are Azure DNS, Azure Private DNS, Cloudflare, Amazon Route 53, Google Cloud DNS, GoDaddy, Akamai Edge DNS, DNS Made Easy, Gandi LiveDNS, IONOS DNS, OVH, PowerDNS, Regfish, TransIP DNS, UnitedDomains, and a custom HTTP provider.
Before You Deploy
Prepare these values:
- The Azure subscription and resource group where Acmebot will run.
- The Key Vault for storing certificates, or permission to create one.
- DNS provider credentials, or Azure managed identity permissions for your zones.
- The ACME directory endpoint and a contact email address.
- A dashboard authentication plan, typically App Service Authentication with Microsoft Entra ID.
When you are ready, continue with Getting Started.