ACME#

Allows automatic certificate acquisition using the ACME protocol for servers defined in the stream context.

When building from source the module is not built by default; it must be enabled with the build parameter --with-stream_acme_module (also requires --with-http_acme_module). In packages and images from our repositories the module is included in the build.

Note

For correct operation, the stream block must be located after the http block. This is because the stream module uses client definitions created during HTTP configuration parsing.

Configuration Example#

For configuration examples and setup instructions, see the ACME in Stream Module section.

Directives#

acme#

Syntax

acme name;

Default

Context

server

For all domains specified in server_name directives in all server blocks that reference an ACME client from the HTTP module with the given name, a single certificate will be obtained; if the server_name configuration changes, the certificate will be updated to account for the changes.

On each Angie startup, new certificates are requested for all domains that lack a valid certificate. Possible reasons include certificate expiration, missing files or inability to read them, and changes in certificate settings.

Note

Currently, domains specified via regular expressions are not supported and will be skipped.

Wildcard domains are supported only in challenge=dns mode in acme_client.

This directive can be specified multiple times to load certificates of different types, for example RSA and ECDSA:

server {

    listen 12345 ssl;
    server_name example.com www.example.com;

    ssl_certificate $acme_cert_rsa;
    ssl_certificate_key $acme_cert_key_rsa;

    ssl_certificate $acme_cert_ecdsa;
    ssl_certificate_key $acme_cert_key_ecdsa;

    acme rsa;
    acme ecdsa;
}

Embedded Variables#

$acme_cert_<name>#

Contents of the last certificate file (if any) obtained by the client with this name.

$acme_cert_key_<name>#

Contents of the certificate key file used by the client with this name.

Note

The certificate file is available only if the ACME client has obtained at least one certificate, while the key file is available immediately after startup.