ashbox (acme.sh box)

This project wraps acme.sh, an SSL certificate management tool written in shell script, to make dealing with certificates a little easier. I liked acme.sh as a base because it does not require root or sudo and had the options needed to build this little container to compartmentalise my certs.

BSD 3-Clause Licence
Installs, configures, and contains a managed acme.sh setup.
Centralised portable certificate storage.
Raw, CSV, or JSON listing of installed certs.
Generate configuration for misc system and services.

acme.sh CLI Config
Ashbox Shell Config
Apache 2.4 VHost SSL Config
Gitea SSL Config
... More when I encounter them or someone suggests it.

Requirements

Git
Bash Shell (installed)

GitHub

Install From Source

$ git clone https://github.com/bobmagicii/ashbox

$ cd ashbox

$ chmod +x ./ashbox.sh

First Time Setup

Installs and configures acme.sh. The email address gets sent by the SSL authourity as a point of contact when you ask for a certificate to be issued. This will also add an entry to crontab to handle automatic renewals.

$ ./ashbox.sh install ssl@domain.tld

Quick Start

Call with no arguments to see the full help.

$ ./ashbox.sh

// ashbox v1.0.0

ashbox.sh <command>...
======================

COMMANDS

	list <options>

		Show all certs being tracked by acme.sh.
		Formats: --csv, --tsv, --ssv, --json, Default: raw format.

	issue <...>

		Fetch SSL certs for the specified domains.
		Use without any arguments to see full usage and options.

	remove <...>

		Remove specified certs from the system.
		Use without any arguments to see full usage and options.

	update

		Download updates for both ashbox.sh and acme.sh.

	--version

		List ashbox and acme.sh versions.

SET DEFAULTS

	default:letsencrypt - use Let's Encrypt by default.
	default:zerossl - use ZerlSSL by default.

CONFIG TOOLS

	General SSL Configuration

	* conf:ssl <domain>
	  The filepaths to the certs contained within ashbox for this domain.

	acme.sh Shell

	* conf:acmesh:shell:args
	  CLI args needed to make acme.sh work within the box.

	Ashbox Shell

	* conf:ashbox:shell:path
	  Shell script to export Ashbox onto PATH.

	Apache VHost SSL

	* conf:apache:vhost:ssl <domain:optional>
	  Without domain it will generate using $SSLDomain for VHost config args.

	Gitea SSL Configuration

	* conf:gitea <domain>

DNS API Config

To make DNS API calls you need to paste the key variables needed to make the DNS script of choice work into the .cfg/account.conf file within ashbox. For example, to make dns_porkbun work in acme.sh these variables must be set:

PORKBUN_API_KEY='...'
PORKBUN_SECRET_API_KEY='...'

Don't forget some registrars (like Porkbun) require you to go in and enable API access per domain first.

Issue Certificate

Call the issue command with no arguments for full help.

$ ./ashbox.sh issue

ashbox.sh issue <options> <domain1> ...
=======================================

Issue and Fetch a new SSL cert for the specified domains.

WEB ROOT MODE

	This will use the .well-known folder system to validate domain ownership.

	--webroot /path/to/public/www

DNS MODE

	This uses the remote API on DNS providers to automatically set some
	TXT records used for ownership validation.

	--dns <dnsapi>

	Each of the DNS supported by acme.sh have their variables you set to make
	their script work. Paste those variables into the `.cfg/account.conf`
	file.

	Example, to make dns_porkbun work:

	PORKBUN_API_KEY='...'
	PORKBUN_SECRET_API_KEY='...'

	DNS Mode Documentation to find the --dns name and variables you need
	for your DNS provider:

	https://github.com/acmesh-official/acme.sh/wiki/dnsapi


DNS ALIASES (Ashbox Shortcuts)

	--digitalocean (--dns dns_dgon)
	--porkbun (--dns dns_porkbun)

Using DNS API Mode. --digitalocean is an alias --dns dns_dgon. It can take the same arguments as acme.sh for choosing the validation method, such as webroot.

$ ./ashbox.sh issue domain.tld --digitalocean

Remove Certificate

By default they are left laying around for use until they expire, the clean option removes it now.

$ ./ashbox.sh remove domain.tld --clean

List Certificates

The default is acme.sh raw output. There is also CSV, SSV, TSV, and JSON.

$ ./ashbox.sh list --json

[
	{ "Main_Domain": "atl.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-05-21T04:20:30Z", "Renew": "2026-06-19T04:20:30Z"  },
	{ "Main_Domain": "", "KeyLength": "", "SAN_Domains": "-", "Profile": "", "CA": "LetsEncrypt.org", "Created": "-", "Renew": ""  },
	{ "Main_Domain": "", "KeyLength": "", "SAN_Domains": "-", "Profile": "", "CA": "LetsEncrypt.org", "Created": "-", "Renew": ""  },
	{ "Main_Domain": "", "KeyLength": "", "SAN_Domains": "-", "Profile": "", "CA": "LetsEncrypt.org", "Created": "-", "Renew": ""  },
	{ "Main_Domain": "pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "*.pegasusgate.net", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-05-22T04:20:36Z", "Renew": "2026-06-20T04:20:36Z"  },
	{ "Main_Domain": "rip.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-06-06T04:21:32Z", "Renew": "2026-06-06T04:21:32Z"  },
	{ "Main_Domain": "", "KeyLength": "", "SAN_Domains": "-", "Profile": "", "CA": "LetsEncrypt.org", "Created": "-", "Renew": ""  },
	{ "Main_Domain": "squirrelshaterobots.com", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "LetsEncrypt.org", "Created": "2026-05-14T04:20:35Z", "Renew": "2026-06-12T04:20:35Z"  },
	{ "Main_Domain": "webroot.pegasusgate.net", "KeyLength": "ec-256", "SAN_Domains": "no", "Profile": "-", "CA": "ZeroSSL.com", "Created": "2026-06-05T04:20:30Z", "Renew": "2026-07-04T04:20:30Z"  }
]

$ ./ashbox.sh list --csv

Main_Domain,KeyLength,SAN_Domains,Profile,CA,Created,Renew
atl.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-05-21T04:20:30Z,2026-06-19T04:20:30Z
"",-,LetsEncrypt.org,-
"",-,LetsEncrypt.org,-
"",-,LetsEncrypt.org,-
pegasusgate.net,"ec-256",*.pegasusgate.net,-,LetsEncrypt.org,2026-05-22T04:20:36Z,2026-06-20T04:20:36Z
rip.pegasusgate.net,"ec-256",no,-,LetsEncrypt.org,2026-06-06T04:21:32Z,2026-06-06T04:21:32Z
"",-,LetsEncrypt.org,-
squirrelshaterobots.com,"ec-256",no,-,LetsEncrypt.org,2026-05-14T04:20:35Z,2026-06-12T04:20:35Z
webroot.pegasusgate.net,"ec-256",no,-,ZeroSSL.com,2026-06-05T04:20:30Z,2026-07-04T04:20:30Z

Configuration Tools

Generate commands and config for services.

$ ./ashbox.sh conf:ashbox:shell:path

export PATH="${PATH}:/opt/ashbox"

PRO TIP:

Putting this in your shell config or profile script will allow calling $ ashbox.sh cleanly from any directory no pesky pathing no goofy changing directory to call it.

$ ./ashbox.sh conf:apache:vhost:ssl pegasusgate.net

SSLCertificateFile    "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.cer"
SSLCertificateKeyFile "/opt/ashbox/certs/pegasusgate.net_ecc/pegasusgate.net.key"
SSLCACertificateFile  "/opt/ashbox/certs/pegasusgate.net_ecc/fullchain.cer"

Update

Install updates to ashbox and acme.sh.

$ ./ashbox.sh update