Create TLS certificates. Upload them where you need them.

Get Started
GitHub
🧙

Interactive wizard

Run wizard.sh and answer three questions. Certificate lands in volumes/output/.

📄

Standard PEM output

fullchain.pem + privkey.pem + cert.pem + ca.pem — ready for Nginx, Synology DSM, OPNsense, and more.

🪟

PFX export

One command converts to PFX for Windows / IIS / Synology apps that require it.

🔄

Auto-renewal

crond runs inside the container. acme.sh renews automatically when certs approach expiry.

✳️

Wildcards and SANs

Single domain, *.example.com wildcard, or multi-domain SAN — same wizard.

🔒

DNS-01 challenge

No port 80 or 443 needed. No inbound connection to the device.

🔀

Multiple ACME servers

Let's Encrypt by default. ZeroSSL and BuyPass selectable without code changes.

📦

Multi-arch image

amd64 and arm64 on GHCR. Runs on Raspberry Pi as well as x86 hosts.

⚙️

Built on acme.sh

Uses the official neilpang/acme.sh image as base. No fork, no rewrite.