PegasusGate

ashbox (acme.sh box)

This project wraps acme.sh, an SSL certificate management tool written in shell script, to make dealing with certificates a little easier. I liked acme.sh as a base because it does not require root or sudo and had the options needed to build this little container to compartmentalise my certs.

  • BSD 3-Clause Licence
  • Installs, configures, and contains a managed acme.sh setup.
  • Centralised portable certificate storage.
  • Raw, CSV, or JSON listing of installed certs.
  • Generate configuration for misc system and services.
    • acme.sh CLI Config
    • Ashbox Shell Config
    • Apache 2.4 VHost SSL Config
    • Gitea SSL Config
    • ... More when I encounter them or someone suggests it.
Requirements
  • Git
  • Bash Shell (installed)
GitHub
Install From Source
$ git clone https://github.com/bobmagicii/ashbox
$ cd ashbox
$ chmod +x ./ashbox.sh
First Time Setup
Installs and configures acme.sh. The email address gets sent by the SSL authourity as a point of contact when you ask for a certificate to be issued. This will also add an entry to crontab to handle automatic renewals.
$ ./ashbox.sh install ssl@domain.tld
Quick Start
Call with no arguments to see the full help.
$ ./ashbox.sh
//////////////////////////////////////////////////////////////////////////////// // ashbox v1.0.0 /////////////////////////////////////////////////////////////// ashbox.sh <command>... ====================== COMMANDS list <options> Show all certs being tracked by acme.sh. Formats: --csv, --tsv, --ssv, --json, Default: raw format. issue <...> Fetch SSL certs for the specified domains. Use without any arguments to see full usage and options. remove <...> Remove specified certs from the system. Use without any arguments to see full usage and options. update Download updates for both ashbox.sh and acme.sh. --version List ashbox and acme.sh versions. SET DEFAULTS default:letsencrypt - use Let's Encrypt by default. default:zerossl - use ZerlSSL by default. CONFIG TOOLS General SSL Configuration * conf:ssl <domain> The filepaths to the certs contained within ashbox for this domain. acme.sh Shell * conf:acmesh:shell:args CLI args needed to make acme.sh work within the box. Ashbox Shell * conf:ashbox:shell:path Shell script to export Ashbox onto PATH. Apache VHost SSL * conf:apache:vhost:ssl <domain:optional> Without domain it will generate using $SSLDomain for VHost config args. Gitea SSL Configuration * conf:gitea <domain>
DNS API Config
To make DNS API calls you need to paste the key variables needed to make the DNS script of choice work into the .cfg/account.conf file within ashbox. For example, to make dns_porkbun work in acme.sh these variables must be set:
PORKBUN_API_KEY='...' PORKBUN_SECRET_API_KEY='...'
Don't forget some registrars (like Porkbun) require you to go in and enable API access per domain first.
Issue Certificate
Call the issue command with no arguments for full help.
$ ./ashbox.sh issue
ashbox.sh issue <options> <domain1> ... ======================================= Issue and Fetch a new SSL cert for the specified domains. WEB ROOT MODE This will use the .well-known folder system to validate domain ownership. --webroot /path/to/public/www DNS MODE This uses the remote API on DNS providers to automatically set some TXT records used for ownership validation. --dns <dnsapi> Each of the DNS supported by acme.sh have their variables you set to make their script work. Paste those variables into the `.cfg/account.conf` file. Example, to make dns_porkbun work: PORKBUN_API_KEY='...' PORKBUN_SECRET_API_KEY='...' DNS Mode Documentation to find the --dns name and variables you need for your DNS provider: https://github.com/acmesh-official/acme.sh/wiki/dnsapi DNS ALIASES (Ashbox Shortcuts) --digitalocean (--dns dns_dgon) --porkbun (--dns dns_porkbun)
Using DNS API Mode. --digitalocean is an alias --dns dns_dgon. It can take the same arguments as acme.sh for choosing the validation method, such as webroot.
$ ./ashbox.sh issue domain.tld --digitalocean
Remove Certificate
By default they are left laying around for use until they expire, the clean option removes it now.
$ ./ashbox.sh remove domain.tld --clean
List Certificates
The default is acme.sh raw output. There is also CSV, SSV, TSV, and JSON.
$ ./ashbox.sh list --json
[ { "Main_Domain": "atl.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-02-20T04:20:09Z", "Renew": "2026-03-21T04:20:09Z" }, { "Main_Domain": "pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "*.pegasusgate.net", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-02-20T04:20:14Z", "Renew": "2026-03-21T04:20:14Z" }, { "Main_Domain": "rip.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-03-07T04:20:07Z", "Renew": "2026-03-07T04:20:07Z" }, { "Main_Domain": "squirrelshaterobots.com", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-02-13T21:51:04Z", "Renew": "2026-03-14T21:51:04Z" }, { "Main_Domain": "webroot.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "ZeroSSL.com", "Created": "2026-03-07T04:20:32Z", "Renew": "2026-04-05T04:20:32Z" } ]
$ ./ashbox.sh list --csv
Main_Domain,KeyLength,SAN_Domains,Profile,CA,Created,Renew atl.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-02-20T04:20:09Z,2026-03-21T04:20:09Z pegasusgate.net,"ec-256",*.pegasusgate.net,-,LetsEncrypt.org,2026-02-20T04:20:14Z,2026-03-21T04:20:14Z rip.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-03-07T04:20:07Z,2026-03-07T04:20:07Z squirrelshaterobots.com,"ec-256",no,-,LetsEncrypt.org,2026-02-13T21:51:04Z,2026-03-14T21:51:04Z webroot.pegasusgate.net,"ec-256",no,-,ZeroSSL.com,2026-03-07T04:20:32Z,2026-04-05T04:20:32Z
Configuration Tools
Generate commands and config for services.
$ ./ashbox.sh conf:ashbox:shell:path
export PATH="${PATH}:/opt/ashbox"
PRO TIP:
Putting this in your shell config or profile script will allow calling $ ashbox.sh cleanly from any directory no pesky pathing no goofy changing directory to call it.
$ ./ashbox.sh conf:apache:vhost:ssl pegasusgate.net
SSLCertificateFile "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.cer" SSLCertificateKeyFile "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.key" SSLCACertificateFile "/opt/ashbox/certs/pegasusgate.net_ecc/fullchain.cer"
Update
Install updates to ashbox and acme.sh.
$ ./ashbox.sh update