go get -tool github.com/letsencrypt/pebble/v2/cmd/pebble@latest
go tool pebble -version
go tool pebble -config pebble.json
go run main.goNote
The cert and key here are public and aren't sensitive for the sake of local testing.
Created
September 23, 2025 14:50
-
-
Save Integralist/89e149c37fbba8fe0d8dcbb382489f39 to your computer and use it in GitHub Desktop.
Let's Encrypt Pebble with mholt/acmez client
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN CERTIFICATE----- | |
| MIIDGzCCAgOgAwIBAgIIbEfayDFsBtwwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE | |
| AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMDcx | |
| MjA2MTk0MjEwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB | |
| AQUAA4IBDwAwggEKAoIBAQCbFMW3DXXdErvQf2lCZ0qz0DGEWadDoF0O2neM5mVa | |
| VQ7QGW0xc5Qwvn3Tl62C0JtwLpF0pG2BICIN+DHdVaIUwkf77iBS2doH1I3waE1I | |
| 8GkV9JrYmFY+j0dA1SwBmqUZNXhLNwZGq1a91nFSI59DZNy/JciqxoPX2K++ojU2 | |
| FPpuXe2t51NmXMsszpa+TDqF/IeskA9A/ws6UIh4Mzhghx7oay2/qqj2IIPjAmJj | |
| i73kdUvtEry3wmlkBvtVH50+FscS9WmPC5h3lDTk5nbzSAXKuFusotuqy3XTgY5B | |
| PiRAwkZbEY43JNfqenQPHo7mNTt29i+NVVrBsnAa5ovrAgMBAAGjYzBhMA4GA1Ud | |
| DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T | |
| AQH/BAIwADAiBgNVHREEGzAZgglsb2NhbGhvc3SCBnBlYmJsZYcEfwAAATANBgkq | |
| hkiG9w0BAQsFAAOCAQEAYIkXff8H28KS0KyLHtbbSOGU4sujHHVwiVXSATACsNAE | |
| D0Qa8hdtTQ6AUqA6/n8/u1tk0O4rPE/cTpsM3IJFX9S3rZMRsguBP7BSr1Lq/XAB | |
| 7JP/CNHt+Z9aKCKcg11wIX9/B9F7pyKM3TdKgOpqXGV6TMuLjg5PlYWI/07lVGFW | |
| /mSJDRs8bSCFmbRtEqc4lpwlrpz+kTTnX6G7JDLfLWYw/xXVqwFfdengcDTHCc8K | |
| wtgGq/Gu6vcoBxIO3jaca+OIkMfxxXmGrcNdseuUCa3RMZ8Qy03DqGu6Y6XQyK4B | |
| W8zIG6H9SVKkAznM2yfYhW8v2ktcaZ95/OBHY97ZIw== | |
| -----END CERTIFICATE----- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module testing-acmez-with-pebble | |
| go 1.25.1 | |
| require github.com/mholt/acmez/v3 v3.1.3 | |
| require ( | |
| github.com/go-jose/go-jose/v4 v4.1.0 // indirect | |
| github.com/letsencrypt/challtestsrv v1.3.2 // indirect | |
| github.com/letsencrypt/pebble/v2 v2.8.0 // indirect | |
| github.com/miekg/dns v1.1.62 // indirect | |
| golang.org/x/crypto v0.38.0 // indirect | |
| golang.org/x/mod v0.24.0 // indirect | |
| golang.org/x/net v0.40.0 // indirect | |
| golang.org/x/sync v0.14.0 // indirect | |
| golang.org/x/sys v0.33.0 // indirect | |
| golang.org/x/text v0.25.0 // indirect | |
| golang.org/x/tools v0.33.0 // indirect | |
| ) | |
| tool github.com/letsencrypt/pebble/v2/cmd/pebble |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | |
| github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | |
| github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY= | |
| github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw= | |
| github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= | |
| github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= | |
| github.com/letsencrypt/challtestsrv v1.3.2 h1:pIDLBCLXR3B1DLmOmkkqg29qVa7DDozBnsOpL9PxmAY= | |
| github.com/letsencrypt/challtestsrv v1.3.2/go.mod h1:Ur4e4FvELUXLGhkMztHOsPIsvGxD/kzSJninOrkM+zc= | |
| github.com/letsencrypt/pebble/v2 v2.8.0 h1:WCyePNx72fgguyozp33B4Avu2p7ZqMBywKg9Uw/40yw= | |
| github.com/letsencrypt/pebble/v2 v2.8.0/go.mod h1:/InUwQEtCyi9jh9iLEvoefC2UdbdkXlMjBD3Mw8h6vE= | |
| github.com/mholt/acmez/v3 v3.1.3 h1:gUl789rjbJSuM5hYzOFnNaGgWPV1xVfnOs59o0dZEcc= | |
| github.com/mholt/acmez/v3 v3.1.3/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ= | |
| github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= | |
| github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= | |
| github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= | |
| github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | |
| github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | |
| github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= | |
| github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | |
| golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= | |
| golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= | |
| golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= | |
| golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= | |
| golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= | |
| golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= | |
| golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= | |
| golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | |
| golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= | |
| golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= | |
| golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | |
| golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | |
| golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= | |
| golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= | |
| golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= | |
| golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | |
| golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= | |
| golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= | |
| golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | |
| golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= | |
| golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= | |
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | |
| gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN RSA PRIVATE KEY----- | |
| MIIEowIBAAKCAQEAmxTFtw113RK70H9pQmdKs9AxhFmnQ6BdDtp3jOZlWlUO0Blt | |
| MXOUML5905etgtCbcC6RdKRtgSAiDfgx3VWiFMJH++4gUtnaB9SN8GhNSPBpFfSa | |
| 2JhWPo9HQNUsAZqlGTV4SzcGRqtWvdZxUiOfQ2TcvyXIqsaD19ivvqI1NhT6bl3t | |
| redTZlzLLM6Wvkw6hfyHrJAPQP8LOlCIeDM4YIce6Gstv6qo9iCD4wJiY4u95HVL | |
| 7RK8t8JpZAb7VR+dPhbHEvVpjwuYd5Q05OZ280gFyrhbrKLbqst104GOQT4kQMJG | |
| WxGONyTX6np0Dx6O5jU7dvYvjVVawbJwGuaL6wIDAQABAoIBAGW9W/S6lO+DIcoo | |
| PHL+9sg+tq2gb5ZzN3nOI45BfI6lrMEjXTqLG9ZasovFP2TJ3J/dPTnrwZdr8Et/ | |
| 357YViwORVFnKLeSCnMGpFPq6YEHj7mCrq+YSURjlRhYgbVPsi52oMOfhrOIJrEG | |
| ZXPAwPRi0Ftqu1omQEqz8qA7JHOkjB2p0i2Xc/uOSJccCmUDMlksRYz8zFe8wHuD | |
| XvUL2k23n2pBZ6wiez6Xjr0wUQ4ESI02x7PmYgA3aqF2Q6ECDwHhjVeQmAuypMF6 | |
| IaTjIJkWdZCW96pPaK1t+5nTNZ+Mg7tpJ/PRE4BkJvqcfHEOOl6wAE8gSk5uVApY | |
| ZRKGmGkCgYEAzF9iRXYo7A/UphL11bR0gqxB6qnQl54iLhqS/E6CVNcmwJ2d9pF8 | |
| 5HTfSo1/lOXT3hGV8gizN2S5RmWBrc9HBZ+dNrVo7FYeeBiHu+opbX1X/C1HC0m1 | |
| wJNsyoXeqD1OFc1WbDpHz5iv4IOXzYdOdKiYEcTv5JkqE7jomqBLQk8CgYEAwkG/ | |
| rnwr4ThUo/DG5oH+l0LVnHkrJY+BUSI33g3eQ3eM0MSbfJXGT7snh5puJW0oXP7Z | |
| Gw88nK3Vnz2nTPesiwtO2OkUVgrIgWryIvKHaqrYnapZHuM+io30jbZOVaVTMR9c | |
| X/7/d5/evwXuP7p2DIdZKQKKFgROm1XnhNqVgaUCgYBD/ogHbCR5RVsOVciMbRlG | |
| UGEt3YmUp/vfMuAsKUKbT2mJM+dWHVlb+LZBa4pC06QFgfxNJi/aAhzSGvtmBEww | |
| xsXbaceauZwxgJfIIUPfNZCMSdQVIVTi2Smcx6UofBz6i/Jw14MEwlvhamaa7qVf | |
| kqflYYwelga1wRNCPopLaQKBgQCWsZqZKQqBNMm0Q9yIhN+TR+2d7QFjqeePoRPl | |
| 1qxNejhq25ojE607vNv1ff9kWUGuoqSZMUC76r6FQba/JoNbefI4otd7x/GzM9uS | |
| 8MHMJazU4okwROkHYwgLxxkNp6rZuJJYheB4VDTfyyH/ng5lubmY7rdgTQcNyZ5I | |
| majRYQKBgAMKJ3RlII0qvAfNFZr4Y2bNIq+60Z+Qu2W5xokIHCFNly3W1XDDKGFe | |
| CCPHSvQljinke3P9gPt2HVdXxcnku9VkTti+JygxuLkVg7E0/SWwrWfGsaMJs+84 | |
| fK+mTZay2d3v24r9WKEKwLykngYPyZw5+BdWU0E+xx5lGUd3U4gG | |
| -----END RSA PRIVATE KEY----- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "crypto/rand" | |
| "crypto/rsa" | |
| "crypto/tls" | |
| "fmt" | |
| "log" | |
| "net/http" | |
| "github.com/mholt/acmez/v3" | |
| "github.com/mholt/acmez/v3/acme" | |
| ) | |
| func main() { | |
| // Create a new private key for the account | |
| accountKey, err := rsa.GenerateKey(rand.Reader, 2048) | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| // Create HTTP client that accepts self-signed certs for Pebble | |
| httpClient := &http.Client{ | |
| Transport: &http.Transport{ | |
| TLSClientConfig: &tls.Config{ | |
| InsecureSkipVerify: true, | |
| }, | |
| }, | |
| } | |
| // Create ACME client pointing to local Pebble | |
| client := acmez.Client{ | |
| Client: &acme.Client{ | |
| Directory: "https://localhost:14000/dir", | |
| HTTPClient: httpClient, | |
| }, | |
| ChallengeSolvers: map[string]acmez.Solver{}, | |
| } | |
| ctx := context.Background() | |
| // Create or get account | |
| account := acme.Account{ | |
| Contact: []string{"mailto:[email protected]"}, | |
| TermsOfServiceAgreed: true, | |
| PrivateKey: accountKey, | |
| } | |
| account, err = client.NewAccount(ctx, account) | |
| if err != nil { | |
| log.Fatal("Failed to create account:", err) | |
| } | |
| fmt.Printf("β Created account: %s\n", account.Location) | |
| // Create a new order | |
| order := acme.Order{ | |
| Identifiers: []acme.Identifier{ | |
| {Type: "dns", Value: "test.example.com"}, | |
| {Type: "dns", Value: "www.test.example.com"}, | |
| }, | |
| } | |
| order, err = client.NewOrder(ctx, account, order) | |
| if err != nil { | |
| log.Fatal("Failed to create order:", err) | |
| } | |
| fmt.Printf("β Created order: %s\n", order.Location) | |
| fmt.Printf("π Order status: %s\n", order.Status) | |
| fmt.Printf("π Authorizations: %d\n", len(order.Authorizations)) | |
| // Get authorization details | |
| for i, authzURL := range order.Authorizations { | |
| authz, err := client.GetAuthorization(ctx, account, authzURL) | |
| if err != nil { | |
| log.Printf("Failed to get authorization %d: %v", i, err) | |
| continue | |
| } | |
| fmt.Printf("\nπ― Authorization %d for %s:\n", i+1, authz.Identifier.Value) | |
| fmt.Printf(" Status: %s\n", authz.Status) | |
| fmt.Printf(" Challenges: %d\n", len(authz.Challenges)) | |
| for j, challenge := range authz.Challenges { | |
| fmt.Printf(" Challenge %d:\n", j+1) | |
| fmt.Printf(" Type: %s\n", challenge.Type) | |
| fmt.Printf(" Status: %s\n", challenge.Status) | |
| fmt.Printf(" URL: %s\n", challenge.URL) | |
| if challenge.Type == acme.ChallengeTypeDNS01 { | |
| fmt.Printf(" DNS Record: %s\n", challenge.DNS01TXTRecordName()) | |
| fmt.Printf(" DNS Value: %s\n", challenge.DNS01KeyAuthorization()) | |
| } | |
| if challenge.Type == acme.ChallengeTypeDNSAccount01 { | |
| fmt.Printf(" DNS-Account Record: %s\n", challenge.DNSAcccount01TXTRecordName(account)) | |
| fmt.Printf(" DNS-Account Value: %s\n", challenge.DNS01KeyAuthorization()) | |
| } | |
| if challenge.Type == acme.ChallengeTypeHTTP01 { | |
| fmt.Printf(" HTTP Path: %s\n", challenge.HTTP01ResourcePath()) | |
| fmt.Printf(" HTTP Value: %s\n", challenge.KeyAuthorization) | |
| } | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "pebble": { | |
| "listenAddress": "0.0.0.0:14000", | |
| "managementListenAddress": "0.0.0.0:15000", | |
| "certificate": "cert.pem", | |
| "privateKey": "key.pem", | |
| "httpPort": 5002, | |
| "tlsPort": 5001, | |
| "ocspResponderURL": "", | |
| "externalAccountBindingRequired": false, | |
| "domainBlocklist": [ | |
| "blocked-domain.example" | |
| ], | |
| "retryAfter": { | |
| "authz": 3, | |
| "order": 5 | |
| }, | |
| "profiles": { | |
| "default": { | |
| "description": "The profile you know and love", | |
| "validityPeriod": 7776000 | |
| }, | |
| "shortlived": { | |
| "description": "A short-lived cert profile, without actual enforcement", | |
| "validityPeriod": 518400 | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment