Acmebot

Appearance

Configuration

Acmebot uses .NET configuration binding for the Acmebot section. In Azure App Service and Azure Functions app settings, nested settings are expressed with double underscores.

Example:

text
Acmebot__Endpoint=https://acme-v02.api.letsencrypt.org/directory

Required Settings

SettingDescription
Acmebot__EndpointACME directory endpoint.
Acmebot__ContactsACME account contacts, such as mailto:admin@example.com.
Acmebot__VaultBaseUrlKey Vault URL where certificates are stored.
Acmebot__EnvironmentAzure cloud name. Defaults to AzureCloud.

General Settings

SettingDefaultDescription
Acmebot__WebhookEmptyWebhook URL for certificate operation notifications.
Acmebot__PreferredChainEmptyPreferred issuer chain name when the ACME CA offers alternate chains.
Acmebot__PreferredProfileEmptyPreferred ACME profile when the CA advertises profiles.
Acmebot__RenewBeforeExpiry30Number of days before certificate expiry when scheduled renewal should run. Valid range is 0 to 365.
Acmebot__UseSystemNameServerfalseUse the system DNS resolver instead of Google Public DNS for challenge verification.
Acmebot__ManagedIdentityClientIdEmptyClient ID for a user-assigned managed identity.

Azure Environments

ValueCloud
AzureCloudAzure Public
AzureChinaCloudAzure China
AzureUSGovernmentAzure Government

The selected environment controls Azure Resource Manager and identity authority hosts.

External Account Binding

Configure these settings before first ACME account registration when the selected CA requires EAB.

SettingDefaultDescription
Acmebot__ExternalAccountBinding__KeyIdEmptyEAB key identifier.
Acmebot__ExternalAccountBinding__HmacKeyEmptyEAB HMAC key in base64url format.
Acmebot__ExternalAccountBinding__AlgorithmHS256EAB HMAC signing algorithm. Common values are HS256, HS384, and HS512.

DNS Provider Settings

Configure one or more provider sections. Acmebot creates all providers whose option section is present.

Provider credentials are secrets. Use scoped provider tokens where possible, and consider App Service Key Vault references for secret values stored in Function App settings.

Akamai Edge DNS

SettingDescription
Acmebot__Akamai__HostAkamai EdgeGrid API host name, without https://. Acmebot calls https://<host>/config-dns/v2/.
Acmebot__Akamai__ClientTokenEdgeGrid client token from the Akamai API client credentials.
Acmebot__Akamai__ClientSecretEdgeGrid client secret paired with the client token.
Acmebot__Akamai__AccessTokenEdgeGrid access token for the API client.

Azure DNS

SettingDescription
Acmebot__AzureDns__SubscriptionIdAzure subscription ID containing the public DNS zones Acmebot manages. The Function App managed identity must have zone read and TXT record write/delete access in this subscription.

Azure DNS uses the Function App managed identity.

Azure Private DNS

SettingDescription
Acmebot__AzurePrivateDns__SubscriptionIdAzure subscription ID containing the private DNS zones Acmebot manages. The Function App managed identity must have private zone read and TXT record write/delete access in this subscription.

Azure Private DNS uses the Function App managed identity.

Cloudflare

SettingDescription
Acmebot__Cloudflare__ApiTokenCloudflare API token sent as a bearer token. Grant Zone:Read and DNS:Edit permissions for the target zones.

Custom DNS

SettingDefaultDescription
Acmebot__CustomDns__EndpointRequiredBase URL for the custom DNS API. The API must expose /zones and /zones/{zoneId}/records/{recordName} endpoints.
Acmebot__CustomDns__ApiKeyRequiredAPI key sent to the custom DNS API.
Acmebot__CustomDns__ApiKeyHeaderNameX-Api-KeyHTTP header name used to send ApiKey.
Acmebot__CustomDns__PropagationSeconds180Number of seconds Acmebot waits after writing TXT records before DNS verification starts.

DNS Made Easy

SettingDescription
Acmebot__DnsMadeEasy__ApiKeyDNS Made Easy API key. Acmebot sends it in the x-dnsme-apiKey header.
Acmebot__DnsMadeEasy__SecretKeyDNS Made Easy secret key used to sign API requests.

Gandi LiveDNS

SettingDescription
Acmebot__GandiLiveDns__ApiKeyGandi LiveDNS API key sent as a bearer token to the Gandi v5 API.

GoDaddy

SettingDescription
Acmebot__GoDaddy__ApiKeyGoDaddy production API key.
Acmebot__GoDaddy__ApiSecretGoDaddy production API secret. Acmebot sends ApiKey:ApiSecret with the sso-key authentication scheme.

Confirm the account is entitled to GoDaddy production API access if zone listing or record updates fail despite valid credentials.

Google Cloud DNS

SettingDescription
Acmebot__GoogleDns__KeyFile64Base64-encoded Google service account key JSON. The service account must have Cloud DNS read/write permissions for the target project and zones.

Acmebot uses the Google Cloud DNS read/write OAuth scope and ignores private managed zones.

IONOS DNS

SettingDescription
Acmebot__IonosDns__ApiKeyIONOS DNS API key sent in the X-API-Key header.

OVH

SettingDefaultDescription
Acmebot__Ovh__Endpointhttps://eu.api.ovh.com/1.0/OVH API endpoint. Use the endpoint that matches your OVH region.
Acmebot__Ovh__ApplicationKeyRequiredOVH application key.
Acmebot__Ovh__ApplicationSecretRequiredOVH application secret paired with the application key.
Acmebot__Ovh__ConsumerKeyRequiredOVH consumer key authorized for DNS zone record operations.

PowerDNS

SettingDefaultDescription
Acmebot__PowerDns__EndpointRequiredFull base URL of the PowerDNS HTTP API, including /api/v1/, for example https://pdns.example.com/api/v1/.
Acmebot__PowerDns__ApiKeyRequiredPowerDNS HTTP API key sent in the X-API-Key header.
Acmebot__PowerDns__ServerIdlocalhostPowerDNS server identifier used in paths under /servers/{serverId}.

Regfish

SettingDescription
Acmebot__Regfish__ApiKeyRegfish API key sent in the x-api-key header.

Amazon Route 53

SettingDescription
Acmebot__Route53__AccessKeyAWS access key ID used by the Route 53 client.
Acmebot__Route53__SecretKeyAWS secret access key paired with AccessKey.
Acmebot__Route53__RegionAWS region name used to construct the SDK client. us-east-1 is a common value for Route 53.

The credential needs permission to list hosted zones, list record sets, and change record sets in the target hosted zone.

TransIP DNS

SettingDescription
Acmebot__TransIp__CustomerNameTransIP customer name used to request API access tokens.
Acmebot__TransIp__PrivateKeyNameName of the Azure Key Vault key that contains the TransIP private key. Acmebot looks under Acmebot__VaultBaseUrl at /keys/{PrivateKeyName} and signs requests with that key.

TransIP signs requests with an Azure Key Vault key under Acmebot__VaultBaseUrl.

UnitedDomains

SettingDescription
Acmebot__UnitedDomains__ApiKeyUnitedDomains API key sent in the X-API-Key header.

Dashboard Authorization Setting

Issue and revoke operations can optionally require Microsoft Entra app roles.

SettingDefaultDescription
Acmebot:AppRoleRequiredfalseWhen true, issue operations require Acmebot.IssueCertificate and revoke operations require Acmebot.RevokeCertificate.

This value is read as an environment variable by the authorization helper.

Platform Settings

The deployment template also configures platform settings such as:

SettingPurpose
AzureWebJobsStorageFunction runtime storage and Acmebot state storage connection string.
DEPLOYMENT_STORAGE_CONNECTION_STRINGFlex Consumption package deployment storage connection string.
APPLICATIONINSIGHTS_CONNECTION_STRINGApplication Insights telemetry connection string.

Do not remove these settings from deployed Function Apps.

Complete Example

text
Acmebot__Endpoint=https://acme-v02.api.letsencrypt.org/directory
Acmebot__Contacts=mailto:admin@example.com
Acmebot__VaultBaseUrl=https://my-vault.vault.azure.net/
Acmebot__Environment=AzureCloud
Acmebot__AzureDns__SubscriptionId=00000000-0000-0000-0000-000000000000
Acmebot__RenewBeforeExpiry=30
Acmebot__Webhook=https://example.com/webhook

Released under the Apache License 2.0.

Copyright (c) 2026 Acmebot Project