rcsheets.net / acme-lantern
An ACME client designed to obtain publicly-trusted SSL/TLS certificates for internal resources.
fork atom
Go 100.0%
7 2 0

Clone this repository

https://tangled.org/rcsheets.net/acme-lantern
git@tangled.org:rcsheets.net/acme-lantern

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

ACME Lantern#

An ACME client designed to obtain publicly-trusted SSL/TLS certificates for internal resources.

Purpose#

ACME Lantern helps you obtain externally validated certificates from ACME-compatible certificate authorities (like Let's Encrypt) for internal infrastructure that isn't directly accessible from the internet. This is particularly useful for:

  • IPMI interfaces - Secure out-of-band management without certificate warnings
  • iLO/iDRAC consoles - Trusted certificates for hardware management interfaces
  • Internal websites and services - Avoid training users to ignore browser warnings
  • Internal APIs and dashboards - Proper TLS for internal tooling
  • Lab and development environments - Production-like security in isolated networks

Why Use This?#

While these resources may not be publicly accessible, using self-signed certificates or ignoring certificate warnings creates security risks:

  • Users become desensitized to security warnings
  • Self-signed certificates require manual trust configuration
  • Certificate management becomes inconsistent across infrastructure
  • No certificate transparency or external validation

ACME Lantern bridges this gap by obtaining proper certificates while keeping your internal resources isolated from the public internet.

How It Works#

ACME Lantern runs a lightweight web server that handles ACME HTTP-01 challenge validation. By configuring your firewall to route port 80 traffic to this service, you can validate domain ownership and obtain certificates for any internal resource, without exposing those resources directly to the internet.

Features#

  • HTTP-01 challenge validation via built-in web server
  • Support for dynamic public IPs
  • Automated certificate renewal
  • Multiple ACME provider support (Let's Encrypt, ZeroSSL, etc.)
  • Certificate deployment to internal resources
  • DNS-01 validation also supported for environments without public IP access

Roadmap#

Phase 1: Core Functionality (Current)#

  • HTTP-01 challenge validation
  • Basic certificate request and renewal
  • File-based storage for certificates and private keys
  • Simple certificate deployment (includes a temporary Ephemeral Local Download API)

Phase 2: Secure Storage#

  • Integration with OpenBao for secure cryptographic material storage
  • Store ACME account keys in OpenBao
  • Store private keys for certificates in OpenBao
  • Store certificates in OpenBao
  • Configurable storage backend (file-based or OpenBao)

Phase 3: Automated Deployment#

  • Plugin-based deployment system
  • Supermicro IPMI deployment (via CGI API)
    • Support for X10 and X11 firmware variants
    • Automatic BMC reboot and verification
    • RSA key generation for compatibility
  • Additional deployment targets (SCP, SFTP, HTTP APIs)

Future Enhancements#

  • Web UI for certificate management
  • Webhook notifications for renewal events
  • Certificate monitoring and alerting
  • iLO/iDRAC deployment plugins

Status#

This project is currently under development. Phase 1 features are believed to be complete; feedback and issue reports are welcome.

The project's home is presently on tangled

License#

MIT