How to use my own Step-CA ACME server instead of Let’s Encrypt in YunoHost?

cozyHousecat · August 18, 2025, 9:00am

Good morning folks,

I’ve recently set up my own Step-CA server, and I’d like YunoHost to request certificates from this ACME endpoint rather than from Let’s Encrypt.

From what I understand, YunoHost uses acme.sh under the hood to handle certificates. I’ve seen references to a --provisioner flag and other ways to point acme.sh to a custom CA, but I can’t find clear documentation on how to configure YunoHost itself to default to my Step-CA server instead of Let’s Encrypt.

What I’d like to achieve is:

Make YunoHost issue and renew certificates from my Step-CA ACME directory URL (e.g. https://ca.example.org/acme/yunohost/directory).
Do this in a way that works with the existing yunohost domain cert-install command and the admin interface.
Ideally avoid manually dropping certs into /etc/yunohost/certs/... and reloading nginx myself.

Has anyone here successfully configured YunoHost to use a custom ACME server? If so, where should I put that configuration (acme.sh? YunoHost config?), and is there an official or recommended way to override the default Let’s Encrypt setting?

Any insight or examples would be much appreciated!

cozyHousecat · August 18, 2025, 9:01am

What I tried so far:

Looked at the yunohost domain cert-install options, but there doesn’t seem to be a --provider or --acme-server flag to override Let’s Encrypt.
Tried to run acme.sh directly with --server pointing to my Step-CA, but on my YunoHost machine the acme.sh command isn’t installed by default (so YunoHost must be bundling or calling it differently).
Attempted to set a different default CA in acme.sh, but since the CLI isn’t present, I couldn’t confirm whether YunoHost would pick it up.
Considered manually copying certificates into /etc/yunohost/certs/<domain>/, but that defeats the purpose of YunoHost’s automated renewal.

At this point, I’m not sure if the proper way is to:

install and configure acme.sh myself under /root/.acme.sh/,
or if there’s a YunoHost-specific configuration file where the ACME server can be swapped out,
or if YunoHost is hard-coded to only use Let’s Encrypt.

ljf · August 20, 2025, 8:31am

It’s hardcoded here

github.com/YunoHost/yunohost

src/certificate.py

dev


      
          SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
          ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"
          
          SSL_DIR = "/usr/share/yunohost/ssl"
          
          KEY_SIZE = 4096
          
          VALIDITY_LIMIT = 15  # days
          
          # For prod
          PRODUCTION_CERTIFICATION_AUTHORITY = "https://acme-v02.api.letsencrypt.org"
          
          #
          # Front-end stuff                                                           #
          #
          
          
          def certificate_status(
              domains: list[str], full: bool = False
          ) -> dict[str, dict[str, Any]]:
              """

You can try to edit this line in /usr/lib/python3/dist-packages/yunohost/certificate.py but you have to reapply your change after each upgrade of the yunohost debian package…