Lightweight library for getting Free SSL certifications through Let's Encrypt, using the ACME protocol
Go to file
AJ ONeal bef931f28f 3.1.0 2020-07-28 16:03:07 -06:00
bin make Prettier v2 2020-07-28 15:53:50 -06:00
examples make Prettier v2 2020-07-28 15:53:50 -06:00
fixtures make prettier 2019-10-25 04:55:03 -06:00
lib make Prettier v2 2020-07-28 15:53:50 -06:00
scripts TODO 2019-10-26 00:13:48 -06:00
tests make Prettier v2 2020-07-28 15:53:50 -06:00
.gitignore merge unrelated v2 (historical) and v3 (new from scratch) 2019-10-21 15:22:07 -06:00
.jshintrc Add '.jshintrc' 2018-07-11 18:07:53 +00:00
.prettierrc make Prettier 2019-10-02 15:04:54 -06:00 merge unrelated v2 (historical) and v3 (new from scratch) 2019-10-21 15:22:07 -06:00
LICENSE ready-ish to release Bluecrypt ACME 2019-05-07 01:52:33 -06:00 Update README 2019-10-30 18:27:11 -06:00
account.js make Prettier v2 2020-07-28 15:53:50 -06:00
acme.js make Prettier v2 2020-07-28 15:53:50 -06:00
errors.js make Prettier v2 2020-07-28 15:53:50 -06:00
maintainers.js make Prettier v2 2020-07-28 15:53:50 -06:00
package-lock.json 3.1.0 2020-07-28 16:03:07 -06:00
package.json 3.1.0 2020-07-28 16:03:07 -06:00
utils.js Bugfix jwk / kid mutually exclusive 2020-07-28 16:02:45 -06:00
webpack.config.js updates 2019-10-08 14:50:53 -06:00

Let's Encrypt™ + JavaScript = ACME.js

| Built by Root for Hub

Automated Certificate Management Environment

ACME (RFC 8555) is the protocol that powers Let's Encrypt.

ACME.js is a low-level client that speaks RFC 8555 to get Free SSL certificates through Let's Encrypt.

Looking for an easy, high-level client? Check out Greenlock.js.

Quick Start

var acme = ACME.create({ maintainerEmail, packageAgent, notify });
await acme.init(directoryUrl);

// Create Let's Encrypt Account
var accountOptions = { subscriberEmail, agreeToTerms, accountKey };
var account = await acme.accounts.create(accountOptions);

// Validate Domains
var certificateOptions = { account, accountKey, csr, domains, challenges };
var pems = await acme.certificates.create(certificateOptions);

// Get SSL Certificate
var fullchain = pems.cert + '\n' + pems.chain + '\n';
await fs.promises.writeFile('fullchain.pem', fullchain, 'ascii');

Online Demo



| 15k gzipped | 55k minified | 88k (2,500 loc) source with comments |

Supports the latest (Nov 2019) release of Let's Encrypt in a small, lightweight, Vanilla JS package.

  • Let's Encrypt v2
    • ACME RFC 8555
    • November 2019
    • POST-as-GET
    • StartTLS Everywhere™ (in-progress)
  • IDN (i.e. .中国)
  • ECDSA and RSA keypairs
    • JWK
    • PEM
    • DER
    • Native Crypto in Node.js
    • WebCrypto in Browsers
  • Domain Validation Plugins
    • tls-alpn-01
    • http-01
    • dns-01
      • Wildcards
      • Localhost
      • Private Networks
    • Create your own
  • Vanilla JS*
    • No Transpiling Necessary!
    • Node.js
    • Browsers
    • WebPack
    • Zero External Dependencies
  • Commercial Support
    • Safe, Efficient, Maintained

* Although we use async/await in the examples, the codebase is written entirely in Common JS.

Use Cases

  • Home Servers
  • IoT
  • Enterprise On-Prem
  • Web Hosting
  • Cloud Services
  • Localhost Development


The public API encapsulates the three high-level steps of the ACME protocol:

  1. API Discovery
  2. Account Creation
    • Subscriber Agreement
  3. Certificate Issuance
    • Certificate Request
    • Authorization Challenges
    • Challenge Presentation
    • Certificate Redemption

API Overview

The core API can be show in just four functions:

ACME.create({ maintainerEmail, packageAgent, notify });
acme.accounts.create({ subscriberEmail, agreeToTerms, accountKey });
	customerEmail, // do not use

Helper Functions

	hostname: '',
	challenge: { type: 'dns-01', token: 'xxxx' }
Parameter Description
account an object containing the Let's Encrypt Account ID as "kid" (misnomer, not actually a key id/thumbprint)
accountKey an RSA or EC public/private keypair in JWK format
agreeToTerms set to true to agree to the Let's Encrypt Subscriber Agreement
challenges the 'http-01', 'alpn-01', and/or 'dns-01' challenge plugins (get, set, and remove callbacks) to use
csr a Certificate Signing Request (CSR), which may be generated with @root/csr, openssl, or another
customerEmail Don't use this. Given as an example to differentiate between Maintainer, Subscriber, and End-User
directoryUrl should be the Let's Encrypt Directory URL
domains the list of altnames (subject first) that are listed in the CSR and will be listed on the certificate
maintainerEmail should be a contact for the author of the code to receive critical bug and security notices
notify all callback for logging events and errors in the form function (ev, args) { ... }
packageAgent should be an RFC72321-style user-agent string to append to the ACME client (ex: mypackage/v1.1.1)
skipChallengeTests do not do a self-check that the ACME-issued challenges will pass (not recommended)
skipDryRun: false do not do a self-check with self-issued challenges (not recommended)
subscriberEmail should be a contact for the service provider to receive renewal failure notices and manage the ACME account

Maintainer vs Subscriber vs Customer

  • maintainerEmail should be the email address of the author of the code. This person will receive critical security and API change notifications.
  • subscriberEmail should be the email of the admin of the hosting service. This person agrees to the Let's Encrypt Terms of Service and will be notified when a certificate fails to renew.
  • customerEmail should be the email of individual who owns the domain. This is optional (not currently implemented).

Generally speaking YOU are the maintainer and you or your employer is the subscriber.

If you (or your employer) is running any type of service you SHOULD NOT pass the customer email as the subscriber email.

If you are not running a service (you may be building a CLI, for example), then you should prompt the user for their email address, and they are the subscriber.


These notify events are intended for logging and debugging, NOT as a data API.

Event Name Example Message
certificate_order { subject: '', altnames: ['...'], account: { key: { kid: '...' } } }
challenge_select { altname: '*', type: 'dns-01' }
challenge_status { altname: '*', type: 'dns-01', status: 'pending' }
challenge_remove { altname: '*', type: 'dns-01' }
certificate_status { subject: '', status: 'valid' }
warning { message: 'what went wrong', description: 'what action to take about it' }
error { message: 'a background process failed, and it may have side-effects' }

Note: DO NOT rely on undocumented properties. They are experimental and will break. If you have a use case for a particular property open an issue - we can lock it down and document it.

Example (Full Walkthrough)

See examples/

A basic example includes the following:

  1. Initialization
    • maintainer contact
    • package user-agent
    • log events
  2. Discover API
    • retrieves Terms of Service and API endpoints
  3. Get Subscriber Account
    • create an ECDSA (or RSA) Account key in JWK format
    • agree to terms
    • register account by the key
  4. Prepare a Certificate Signing Request
    • create a RSA (or ECDSA) Server key in PEM format
    • select domains
    • choose challenges
    • sign CSR
    • order certificate

examples/ covers all of these steps, with comments.


To make it easy to generate, encode, and decode keys and certificates, ACME.js uses Keypairs.js and CSR.js

npm install --save @root/acme
var ACME = require('@root/acme');
<meta charset="UTF-8" />

(necessary in case the webserver headers don't specify plain/text; charset="UTF-8")

var ACME = require('@root/acme');
Vanilla JS
<meta charset="UTF-8" />

(necessary in case the webserver headers don't specify plain/text; charset="UTF-8")

<script src=""></script>


<script src=""></script>


var ACME = window['@root/acme'];

Challenge Callbacks

The challenge callbacks are documented in the test suite, essentially:

function create(options) {
	var plugin = {
		init: async function(deps) {
			// for http requests
			plugin.request = deps.request;
		zones: async function(args) {
			// list zones relevant to the altnames
		set: async function(args) {
			// set TXT record
		get: async function(args) {
			// get TXT records
		remove: async function(args) {
			// remove TXT record
		// how long to wait after *all* TXT records are set
		// before presenting them for validation
		propagationDelay: 5000
	return plugin;

The http-01 plugin is similar, but without zones or propagationDelay.

Many challenge plugins are already available for popular platforms.

Search acme-http-01- or acme-dns-01- on npm to find more.

Type Service Plugin
dns-01 CloudFlare acme-dns-01-cloudflare
dns-01 Digital Ocean acme-dns-01-digitalocean
dns-01 DNSimple acme-dns-01-dnsimple
dns-01 DuckDNS acme-dns-01-duckdns
http-01 File System / Web Root acme-http-01-webroot
dns-01 GoDaddy acme-dns-01-godaddy
dns-01 Gandi acme-dns-01-gandi
dns-01 NameCheap acme-dns-01-namecheap
dns-01 acme-dns-01-namedotcom
dns-01 Route53 (AWS) acme-dns-01-route53
http-01 S3 (AWS, Digital Ocean, Scaleway) acme-http-01-s3
dns-01 Vultr acme-dns-01-vultr
dns-01 Build your own acme-dns-01-test
http-01 Build your own acme-http-01-test
tls-alpn-01 Contact us -

Running the Tests

npm test

Usa a dns-01 challenge

Although you can run the tests from a public facing server, its easiest to do so using a dns-01 challenge.

You will need to use one of the acme-dns-01-* plugins to run the test locally.


For Example

# Get the repo and change directories into it
git clone
pushd acme.js/

# Install the challenge plugin you'll use for the tests
npm install --save-dev acme-dns-01-digitalocean

Create a .env config

You'll need a .env in the project root that looks something like the one in examples/example.env:

# Copy the sample .env file
rsync -av examples/example.env .env

# Edit the config file to use a domain in your account, and your API token
#vim .env
code .env

# Run the tests
node tests/index.js


Join @rootprojects #general on Keybase if you'd like to chat with us.


Did this project save you some time? Maybe make your day? Even save the day?

Please say "thanks" via Paypal or Patreon:

Where does your contribution go?

Root is a collection of experts who trust each other and enjoy working together on deep-tech, Indie Web projects.

Our goal is to operate as a sustainable community.

Your contributions - both in code and especially financially - help to not just this project, but also our broader work of projects that fuel the Indie Web.

Also, we chat on Keybase in #rootprojects

Commercial Support

Do you need...

  • more features?
  • bugfixes, on your timeline?
  • custom code, built by experts?
  • commercial support and licensing?

You're welcome to contact us in regards to IoT, On-Prem, Enterprise, and Internal installations, integrations, and deployments.

We have both commercial support and commercial licensing available.

We also offer consulting for all-things-ACME and Let's Encrypt.

Legal & Rules of the Road

ACME.js™ is a trademark of AJ ONeal

The rule of thumb is "attribute, but don't confuse". For example:

Built with ACME.js (a Root project).

Please contact us if have any questions in regards to our trademark, attribution, and/or visible source policies. We want to build great software and a great community.

ACME.js | MPL-2.0 | Terms of Use | Privacy Policy