A program wrapping acme-tiny to make administrating ssl certificates to services on a host running debian reliable and automatic.

Specifically, the following functionality is implemented on top of acme-tiny:

  • Automatically provide ssl private key file for each requested certificate.

    As a convenience, acme-wrapper also handles the generation of ssl private key files. Currently a new private key is generated for each time a certificate is (re-)issued in order to automatically limit the impact a possible key-revealing ssl vulnerability has.

    As a disadvantage, this means that acme-wrapper will have access to all ssl private key files for all issued certificates. A future version of acme-wrapper might offer ways to limit this if some coordination with and support by the application (the application that will eventually use the issued ssl certificate) is implemented.

  • Automatically provide self-signed certificate if all else fails.

    For example, apache2 does not start when a ssl certificate file is configured but the file does not exist. Therefore, by ensuring _some_ ssl certificate file always exist, the service is just rendered insecure instead of denied; This is the preferred failure mode for virtually all public web pages without login-only area.

  • Automatically retrieve the full certificate chain up to the root

    While let’s encrypt and acme-tiny in their current forms do also provide the intermediate certificate together with the issued certificate, this was not the case previously and is also not guaranteed by the acme protocol standard (see RFC 8555). Acme-Wrapper was started when the intermediate certificate was not yet provided by acme-tiny.

    Acme-Wrapper will inspect the certificate handed over by acme-tiny, and retrieve any missing parts of the chain up to the root certificate, and all are made available to the application that uses the ssl certificate file.

  • Automatically re-request certificates

    Acme-Wrapper uses cron to ensure that each requested certificate is renewed in time before it expires. While the documentation of acme-tiny already suggests to be automatically executed via cron each month, acme-wrapper tries to be more sophisticated about it. Currently, acme-wrapper checks for the need to re-request a soon-expiring certificate daily but only calls on acme-tiny if the need arises.

    Acme-Wrapper does not automatically reload or restart services.

See for the wrapped software.

The homepage for this project is .

Tested with and designed for debian 12 “bookworm”. Contributions to expand compatibility to other OS are welcome.

downloading & installing

The source code is fully mirrored to


Download Archive

When downloading the source package (the dsc and tar.xz files), signature and checksum verification can be performed with the dscverify (1) utility (assuming that my gpg key 0xF507E6B0003849B9FC2ADD3E207022447F6D85DB is part of ~/.gnupg/trustedkeys.gpg keyring):

dscverify acme-wrapper_1.0.0.dsc
# exit status 0 => verification successful
# otherwise => possible file manipulation

When downloading the binary package (the deb and deb.sig files), signature (including checksum) can be verified with the gpgv (1) utility (assuming that my gpg key 0xF507E6B0003849B9FC2ADD3E207022447F6D85DB is part of ~/.gnupg/trustedkeys.kbx keyring):

gpgv acme-wrapper_1.0.0_all.deb.sig acme-wrapper_1.0.0_all.deb
# exit status 0 => verification successful
# otherwise => possible file manipulation