The Automated Certificate Management Environment (ACME) is an evolving standard for the automation of a domain-validated certificate authority. Clients register themselves on an authority using a private key and contact information, and answer challenges for domains that they own by supplying response data issued by the authority via either HTTP or DNS. Via this process, they prove that they own the domains in question, and can then request certificates for them via the CA. No part of this process requires user interaction, a traditional blocker in obtaining a domain validated certificate.
Currently the major ACME CA is Let's Encrypt, but the ACME support in Terraform can be configured to use any ACME CA, including an internal one that is set up using Boulder.
For more detail on the ACME process, see here. For the ACME spec, click here. Note that the ACME provider may diverge from the current ACME spec to account for the real-world divergences that are made by CAs such as Let's Encrypt.
The ACME provider is currently a 3rd party plugin. See the documentation on 3rd party plugins for installation instructions, and download the latest release from the releases page.
If you use Arch Linux, the
terraform-provider-acme-bin
package is
available via the AUR and can be installed via an AUR-supported package manager
such as yay
. Thanks to @SamWhited for this!
Example with yay
:
yay -S terraform-provider-acme-bin
The following example can be used to create an account using the
acme_registration
resource, and a certificate
using the acme_certificate
resource. The
initial private key is created using the
tls_private_key
resource, but can be supplied via
other means. DNS validation is performed by using Amazon Route 53,
for which appropriate credentials are assumed to be in your environment.
provider "acme" {
server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
}
resource "acme_registration" "reg" {
account_key_pem = "${tls_private_key.private_key.private_key_pem}"
email_address = "nobody@example.com"
}
resource "acme_certificate" "certificate" {
account_key_pem = "${acme_registration.reg.account_key_pem}"
common_name = "www.example.com"
subject_alternative_names = ["www2.example.com"]
dns_challenge {
provider = "route53"
}
}
The following arguments are required:
server_url
- (Required) The URL to the ACME endpoint's directory.