Guide
Acmebot automates ACME SSL/TLS certificate issuance and renewal on Microsoft Azure. It runs as an Azure Functions app, proves domain ownership with DNS-01 challenges, and stores the issued certificates in Azure Key Vault.
Use this guide to deploy Acmebot, connect a DNS provider, issue certificates from the dashboard, and operate renewals safely over time.
What Acmebot Does
- Registers and maintains an ACME account for the configured certificate authority.
- Creates ACME orders for zone apex, wildcard, and multi-domain certificates.
- Adds and removes DNS-01 TXT records through one or more configured DNS providers.
- Requests certificates in Key Vault and merges the issued chain back into the same Key Vault certificate.
- Tags managed certificates so scheduled renewals can find them later.
- Sends optional webhook notifications for successful and failed operations.
Runtime Workflow
- A user or a scheduled renewal starts a certificate operation.
- Acmebot finds the DNS zone that matches each requested name.
- Acmebot creates an ACME order and prepares the DNS-01 challenges.
- The configured DNS provider receives the
_acme-challengeTXT records. - Acmebot waits for provider-specific propagation, then verifies the records by DNS query.
- The ACME order is finalized with a CSR generated by Key Vault.
- The issued certificate is merged into Key Vault and tagged with Acmebot metadata.
Core Concepts
Key Vault
Key Vault is the certificate store. Acmebot starts a Key Vault certificate operation, lets Key Vault generate or reuse the private key, and merges the ACME-issued chain into the pending operation.
DNS Providers
Acmebot validates with DNS-01 only. This supports wildcard certificates and works even when the protected application is not publicly reachable. Configure at least one DNS provider before the Function App can start.
Certificate Authorities
Acmebot works with any ACME v2 directory endpoint. The deployment form offers common endpoints such as Let's Encrypt, ZeroSSL, Google Trust Services, SSL.com, Entrust, and GlobalSign, and also accepts a custom ACME directory URL.
Dashboard
The dashboard is a same-origin web app served by the Function App. It calls the /api/* endpoints to list, issue, renew, and revoke certificates, and to list DNS zones.
Common Paths
| Goal | Start here |
|---|---|
| Deploy a new environment | Getting Started |
| Understand portal template inputs | Deployment |
| Migrate an existing v4 deployment | Migrating from v4 to v5 |
| Issue, renew, or revoke a certificate | Dashboard |
| Configure Azure DNS, Cloudflare, Route 53, or another DNS provider | DNS Providers |
| Use EAB or a non-Let's Encrypt CA | Certificate Authorities |
| Monitor renewals and troubleshoot failures | Operations |
| Connect renewed certificates to Azure services | Azure Service Integration |
| Diagnose failed issuance, renewal, or service sync | Troubleshooting |
| Answer common deployment and operations questions | FAQ |
| Review every app setting | Configuration Reference |
| Integrate with the HTTP endpoints | HTTP API Reference |
Support Matrix
Azure Services
Certificates live in Key Vault, so any Azure service that consumes a Key Vault certificate or an imported PFX can use them, including:
- Azure App Service, Azure Functions, and Azure Web App for Containers.
- Azure Container Apps, including environments with a custom DNS suffix.
- Azure Front Door Standard and Premium.
- Azure Application Gateway v2.
- Azure API Management.
- Azure SignalR Service Premium.
- Virtual Machines and other workloads that can read certificates from Key Vault.
DNS Providers
Built-in providers are Azure DNS, Azure Private DNS, Cloudflare, Amazon Route 53, Google Cloud DNS, GoDaddy, Akamai Edge DNS, DNS Made Easy, Gandi LiveDNS, IONOS DNS, OVH, PowerDNS, Regfish, TransIP DNS, UnitedDomains, and a custom HTTP provider.
Before You Deploy
Prepare these values:
- The Azure subscription and resource group where Acmebot will run.
- The Key Vault for storing certificates, or permission to create one.
- DNS provider credentials, or Azure managed identity permissions for your zones.
- The ACME directory endpoint and a contact email address.
- A dashboard authentication plan, typically App Service Authentication with Microsoft Entra ID.
When you are ready, continue with Getting Started.