Secrets

Some plugins require authentication information such as a password or API key to be able to work, e.g. to login to an FTP server or an API key needed to update a DNS record. These secrets are historically saved in encrypted form in the .renewal.json files in the configuration folder.

There are also some global secrets, like the proxy server password and the SMTP server password, that are stored in settings.json.

Central Management

Version 2.1.17 introduced the secret manager to make it easier to re-use and manage secrets for renewals. Also, it makes it possible to protect those aforementioned global secrets. The secret manager can be accessed from the main menu by going to More options... > Manage secrets. There you will be presented with a list of currently known secrets (if any) to update/delete them, and an option to add a new one. Each secret has a unique URI like vault://json/mysecret which you can use in various places like configuration files, command line arguments or script installation parameters.

Multiple backends

Currently, there are three backends for the secret manager shipped with the program:

  • json works with an encrypted file in the configuration folder. It does not offer additional security over normal way of storing secrets, but makes them more convenient to manage. The location of that file may be modified through settings.json, for example if you want to share it between different ACME endpoints.
  • script calls a script configurable in settings.json to retrieve a secret and is intended as a bridge to connect to third party secret management solutions that do not have native plugin available (yet). This is a read-only vault.
  • environment vault looks at environment variables and is intended for servers that are under configuration management. This is a read-only vault.

In the future the idea is to support more backends like Azure KeyVault and HashiCorp. Implementation of a new backend is fairly straightforward for someone with C# experience, it just requires an assembly that implements ISecretProvider. Contributions in this area are most welcome!

Unattended use

You can add or update a secret to the json vault by using the command --vaultstore --vaultkey mykey --vaultsecret *****. Fron that point on the provided secret will be usable as vault://json/mykey.

Settings

Secrets.Json.FilePath Location of the file store secrets.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined (defaults to {Client.ConfigurationPath}\secrets.json)
Secrets.Script.Get Location of the secret getting script.

Paths should be JSON-encoded, e.g. "C:\\" (note the double backslash).

Type: string
Default: undefined
Secrets.Script.GetArguments Arguments to pass to the script that retreives a secret. Supported variable substitutions are
ValueMeaning
{key}The identifier of the secret being requested, e.g. the "mytoken" part of
vault://script/mytoken
{operation}Currently hard coded to "get", may get "delete" and "set" at some point in the future.
{vault://vault/key}Pass a secret from one of the other vaults to the script. Note that you cannot self-reference.


Type: string
Default: undefined (defaults to -key {key})

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.