PegasusGate

ashbox (acme.sh box)

This project wraps acme.sh, an SSL certificate management tool written in shell script, to make dealing with certificates a little easier. I liked acme.sh as a base because it does not require root or sudo and had the options needed to build this little container to compartmentalise my certs.

  • BSD 3-Clause Licence
  • Installs, configures, and contains a managed acme.sh setup.
  • Centralised portable certificate storage.
  • Raw, CSV, or JSON listing of installed certs.
  • Generate configuration for misc system and services.
    • acme.sh CLI Config
    • Ashbox Shell Config
    • Apache 2.4 VHost SSL Config
    • Gitea SSL Config
    • ... More when I encounter them or someone suggests it.
Requirements
  • Git
  • Bash Shell (installed)
GitHub
Install From Source
$ git clone https://github.com/bobmagicii/ashbox
$ cd ashbox
$ chmod +x ./ashbox.sh
First Time Setup
Installs and configures acme.sh. The email address gets sent by the SSL authourity as a point of contact when you ask for a certificate to be issued. This will also add an entry to crontab to handle automatic renewals.
$ ./ashbox.sh install ssl@domain.tld
Quick Start
Call with no arguments to see the full help.
$ ./ashbox.sh
//////////////////////////////////////////////////////////////////////////////// // ashbox v1.0.0-dev /////////////////////////////////////////////////////////// ashbox.sh <command>... ====================== COMMANDS list <options> Show all certs being tracked by acme.sh. Formats: --csv, --tsv, --ssv, --json, Default: raw format. issue <...> Fetch SSL certs for the specified domains. Use without any arguments to see full usage and options. remove <...> Remove specified certs from the system. Use without any arguments to see full usage and options. update Download updates for both ashbox.sh and acme.sh. --version List ashbox and acme.sh versions. SET DEFAULTS default:letsencrypt - use Let's Encrypt by default. default:zerossl - use ZerlSSL by default. CONFIG TOOLS General SSL Configuration * conf:ssl <domain> The filepaths to the certs contained within ashbox for this domain. acme.sh Shell * conf:acmesh:shell:args CLI args needed to make acme.sh work within the box. Ashbox Shell * conf:ashbox:shell:path Shell script to export Ashbox onto PATH. Apache VHost SSL * conf:apache:vhost:ssl <domain:optional> Without domain it will generate using $SSLDomain for VHost config args. Gitea SSL Configuration * conf:gitea <domain>
DNS API Config
To make DNS API calls you need to paste the key variables needed to make the DNS script of choice work into the .cfg/account.conf file within ashbox. For example, to make dns_porkbun work in acme.sh these variables must be set:
PORKBUN_API_KEY='...' PORKBUN_SECRET_API_KEY='...'
Don't forget some registrars (like Porkbun) require you to go in and enable API access per domain first.
Issue Certificate
Call the issue command with no arguments for full help.
$ ./ashbox.sh issue
ashbox.sh issue <options> <domain1> ... ======================================= Issue and Fetch a new SSL cert for the specified domains. DNS Aliases --digitalocean (--dns dns_dgon) --porkbun (--dns dns_porkbun) Other DNS --dns <whichever> Pass the same value used by acme.sh to use other DNS. acme.sh DNS Documentation: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Using DNS API Mode. --digitalocean is an alias --dns dns_dgon. It can take the same arguments as acme.sh for choosing the validation method, such as webroot.
$ ./ashbox.sh issue domain.tld --digitalocean
Remove Certificate
By default they are left laying around for use until they expire, the clean option removes it now.
$ ./ashbox.sh remove domain.tld --clean
List Certificates
The default is acme.sh raw output. There is also CSV, SSV, TSV, and JSON.
$ ./ashbox.sh list --json
[ { "Main_Domain": "atl.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-01-22T03:40:27Z", "Renew": "2026-02-20T03:40:27Z" }, { "Main_Domain": "pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "*.pegasusgate.net", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-01-22T03:28:12Z", "Renew": "2026-02-20T03:28:12Z" }, { "Main_Domain": "rip.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-02-16T04:20:06Z", "Renew": "2026-02-16T04:20:06Z" }, { "Main_Domain": "", "KeyLength": "", "SAN_Domains": "-", "Profile": "", "CA": "LetsEncrypt.org", "Created": "-", "Renew": "" }, { "Main_Domain": "webroot.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "ZeroSSL.com", "Created": "2026-02-05T21:15:54Z", "Renew": "2026-03-06T21:15:54Z" } ]
$ ./ashbox.sh list --csv
Main_Domain,KeyLength,SAN_Domains,Profile,CA,Created,Renew atl.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-01-22T03:40:27Z,2026-02-20T03:40:27Z pegasusgate.net,"ec-256",*.pegasusgate.net,-,LetsEncrypt.org,2026-01-22T03:28:12Z,2026-02-20T03:28:12Z rip.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-02-16T04:20:06Z,2026-02-16T04:20:06Z "",-,LetsEncrypt.org,- webroot.pegasusgate.net,"ec-256",no,-,ZeroSSL.com,2026-02-05T21:15:54Z,2026-03-06T21:15:54Z
Configuration Tools
Generate commands and config for services.
$ ./ashbox.sh conf:ashbox:shell:path
export PATH="${PATH}:/opt/ashbox"
PRO TIP:
Putting this in your shell config or profile script will allow calling $ ashbox.sh cleanly from any directory no pesky pathing no goofy changing directory to call it.
$ ./ashbox.sh conf:apache:vhost:ssl pegasusgate.net
SSLCertificateFile "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.cer" SSLCertificateKeyFile "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.key" SSLCACertificateFile "/opt/ashbox/certs/pegasusgate.net_ecc/fullchain.cer"
Update
Install updates to ashbox and acme.sh.
$ ./ashbox.sh update