Ignisfox
Walkthrough

ACME setup

Ignisfox issues free SSL certs from Let's Encrypt and ZeroSSL via the ACME protocol. Issuance uses the DNS-01 challenge so you don't need inbound HTTP access to the domain — works for internal hosts, wildcards, and anything behind Cloudflare / a WAF.

First issuance (manual DNS)

  1. Go to /dashboard/acme and fill in the primary domain plus any SANs.
  2. Click Start order. We register an account with the chosen ACME provider (once per tenant, reused on every future order), generate a CSR private key, and return the DNS TXT record you need to publish.
  3. Publish the _acme-challenge.yourdomain.com TXT record at your DNS provider. Wait 60 seconds for propagation (longer if your TTL is high).
  4. Click Verify & finalize. The ACME server checks the record, we finalize the order, and the issued cert lands in your vault.

Unattended renewal (DNS auto-renew)

Manual renewal every 90 days is a grind. Add a Cloudflare API token once and Ignisfox renews your certs without you touching DNS.

  1. Create a Cloudflare API token at Cloudflare → API Tokens. Use the Edit zone DNS template, scoped to the specific zone(s) you want renewed.
  2. At /dashboard/settings/dns, paste the token, give it a name, optionally set a zone filter (e.g. example.com).
  3. On any issued ACME order, toggle Auto-renew nudge on. That tells the hourly ticker to attempt full auto-renewal when the cert is within 30 days of expiry.

When the ticker decides to renew: we start a new order, publish the challenge TXT via Cloudflare, wait 12 seconds for propagation, validate, finalize, store the new cert, and delete the TXT record. You get an email summary either way.

If auto-renew fails

We fall back to the nudge email: 30 days before expiry you get a note with a link to the manual renewal flow. The same 7-day cooldown applies so you don't get spammed.

Which provider should I pick?

  • Let's Encrypt — the default. 90-day certs, 5 duplicate certs per week per account, no registration email required.
  • ZeroSSL — same RFC 8555 protocol, 90-day certs, higher rate limits, requires an EAB key for account creation. Use when you hit LE rate limits.

Known limits

  • DNS provider: Cloudflare only for auto-renew v1. Route 53 / GoDaddy DNS are on the roadmap. Other providers still work — just use manual DNS.
  • Wildcard + SAN bundling: you can mix wildcards and specific subdomains in one order; all challenges must pass.
  • IP-address certs: ACME doesn't support them. Use a paid CA that does if you need one.