bin+lib acme-redirect

Tiny http daemon that answers acme challenges and redirects everything else to https

11 unstable releases

0.6.2 Jan 3, 2023
0.5.3 Sep 22, 2021
0.5.1 May 8, 2021
0.4.0 May 24, 2020

#747 in Network programming

Download history 2/week @ 2023-11-12 3/week @ 2023-11-19 57/week @ 2023-11-26 11/week @ 2023-12-10 1/week @ 2023-12-17 22/week @ 2023-12-24 12/week @ 2023-12-31 8/week @ 2024-01-14 9/week @ 2024-01-21 57/week @ 2024-01-28 1/week @ 2024-02-04 47/week @ 2024-02-11 312/week @ 2024-02-18

418 downloads per month

GPL-3.0 license

1.5K SLoC


A tiny http daemon that answers acme challenges and redirects everything else to https.

A minimal configuration looks like this:

# cat /etc/acme-redirect.d/example.com.conf
name = "example.com"
dns_names = [
exec = [
    "systemctl reload nginx",

You don't need to edit anything else. Start the acme-redirect daemon:

systemctl enable --now acme-redirect

Ensure the service is running correctly and the redirect works as expected. Ensure your A and AAAA records point to the right server and check everything is working correctly by fetching a random proof from our local daemon.

acme-redirect check

If OK is displayed for every name you can request a real certificates:

acme-redirect renew

If this succeeded you should setup automatic renew:

systemctl enable --now acme-redirect-renew.timer

The certificate is located here:


Example configuration looks like this:


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /var/lib/acme-redirect/live/example.com/fullchain;
    ssl_certificate_key /var/lib/acme-redirect/live/example.com/privkey;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /var/lib/acme-redirect/live/example.com/chain;

    # ...


<VirtualHost *:443>
    SSLEngine on

    SSLCertificateFile /var/lib/acme-redirect/live/example.com/fullchain
    SSLCertificateKeyFile /var/lib/acme-redirect/live/example.com/privkey

    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=63072000"

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"


server.modules += ("mod_openssl")
$SERVER["socket"] == "" {
    ssl.engine = "enable"
    ssl.privkey= "/var/lib/acme-redirect/live/example.com/privkey"
    ssl.pemfile= "/var/lib/acme-redirect/live/example.com/fullchain"
    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
    #ssl.ca-file= "/var/lib/acme-redirect/live/example.com/chain" # (needed in $SERVER["socket"] before lighttpd 1.4.56 if ssl.pemfile in $HTTP["host"])


Packaging status

Arch Linux

pacman -S acme-redirect

Debian based

Currently supported: buster

apt install debian-keyring
gpg -a --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --refresh-keys git@rxv.cc
echo deb https://apt.vulns.sexy stable main >> /etc/apt/sources.list.d/apt-vulns-sexy.list
apt update && apt install acme-redirect

Build from source

git clone https://github.com/kpcyrd/acme-redirect.git
cd acme-redirect/
cargo build --release

install -Dm 755 -t /usr/bin \

install -Dm 644 contrib/confs/acme-redirect.conf -t /etc
install -Dm 644 contrib/confs/certs.d/example.com.conf /etc/acme-redirect.d/example.com.conf.sample

install -Dm 644 -t /etc/systemd/system \
    contrib/systemd/acme-redirect-renew.service \
    contrib/systemd/acme-redirect-renew.timer \
install -Dm 644 contrib/systemd/acme-redirect.sysusers /etc/sysusers.d/acme-redirect.conf
install -Dm 644 contrib/systemd/acme-redirect.tmpfiles /etc/tmpfiles.d/acme-redirect.conf

sudo systemd-sysusers
sudo systemd-tmpfiles --create


I'm using this in production since summer 2020 (northern hemisphere, around May).


mkdir -vp tmp/challs
export ACME_CONFIG="$PWD/contrib/confs/acme-redirect.conf"
export ACME_CONFIG_DIR="$PWD/contrib/confs/certs.d/"
export ACME_CHALL_DIR="$PWD/tmp/"
export ACME_DATA_DIR="$PWD/tmp/"

cargo run -- status
cargo run -- daemon -B '[::]:8080' -v


acme-redirect uses setuid and chroot to drop privileges before accepting requests. This can be inspected with boxxy.

mkdir -vp tmp/web
sudo chown root. tmp/web
cargo build --examples
(cd tmp/web && sudo ../../target/debug/examples/boxxy)




~652K SLoC