» ACME Certificate and Account Provider

The Automated Certificate Management Environment (ACME) is an evolving standard for the automation of a domain-validated certificate authority. Clients register themselves on an authority using a private key and contact information, and answer challenges for domains that they own by supplying response data issued by the authority via either HTTP or DNS. Via this process, they prove that they own the domains in question, and can then request certificates for them via the CA. No part of this process requires user interaction, a traditional blocker in obtaining a domain validated certificate.

Currently the major ACME CA is Let's Encrypt, but the ACME support in Terraform can be configured to use any ACME CA, including an internal one that is set up using Boulder, or another CA that implements the ACME standard with Let's Encrypt's divergences.

For more detail on the ACME process, see here. For the ACME spec, click here. Note that as mentioned in the last paragraph, the ACME provider may diverge from the current ACME spec to account for the real-world divergences that are made by CAs such as Let's Encrypt.

» Basic Example

The following example can be used to create an account using the acme_registration resource, and a certificate using the acme_certificate resource. The initial private key is created using the tls_private_key resource, but can be supplied via other means. DNS validation is performed by using Amazon Route 53, for which appropriate credentials are assumed to be in your environment.

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "nobody@example.com"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "www.example.com"
  subject_alternative_names = ["www2.example.com"]

  dns_challenge {
    provider = "route53"
  }
}

» Argument Reference

The following arguments are required:

  • server_url - (Required) The URL to the ACME endpoint's directory.