fix missing image in README

.pre-commit-config.yaml

@@ -17,3 +17,8 @@ repos:
         language: system
         pass_filenames: false
         types: [go]
+
+  -   repo: https://github.com/gitleaks/gitleaks
+      rev: v8.30.1
+      hooks:
+        - id: gitleaks

README.md

@@ -4,7 +4,17 @@
 
 ## How It Works
 
-When a client successfully completes an ACME challenge, `acme-proxy` forwards the certificate signing request to an external certificate authority (CA) that supports External Account Binding (EAB). The external CA signs the certificate and returns it to the client through `acme-proxy`.
+`acme-proxy` runs as an ACME server inside your enterprise environment, acting as an intermediary between your internal infrastructure and an external certificate authority service (such as Sectigo). When a client successfully completes an ACME challenge, `acme-proxy` forwards the certificate signing request to an external certificate authority (CA) that supports External Account Binding (EAB). The external CA signs the certificate and returns it to the client through `acme-proxy`.
+
+**Certificate Request Flow:**
+
+1. Your internal server (behind a firewall perimeter) requests a certificate from `acme-proxy` using standard ACME clients like certbot, acme.sh or cert-manager.io if you're using Kubernetes.
+2. `acme-proxy` presents cryptographic challenges to verify domain ownership
+3. Once validation succeeds, `acme-proxy` forwards the certificate signing request to your external CA using External Account Binding (EAB)
+4. The external CA signs the certificate
+5. `acme-proxy` retrieves the certificate bundle and returns it to your server
+
+![sequence diagram](docs/assets/highlevel-flow.png)
 
 **Note:** LetsEncrypt does not support EAB. However, commercial CAs such as Sectigo and ZeroSSL do.
 
@@ -40,20 +50,6 @@ Using ACME with commercial CAs in enterprise environments provides several advan
 - Leverage standard ACME clients (Certbot, acme.sh, cert-manager.io) for certificate issuance, automatic renewals.
 - Enable self-service certificate requests for development teams
 
-## ACME Proxy Workflow
-
-`acme-proxy` runs as an ACME server inside your enterprise environment, acting as an intermediary between your internal infrastructure and an external certificate authority service (such as Sectigo).
-
-**Certificate Request Flow:**
-
-1. Your internal server (behind a firewall perimeter) requests a certificate from `acme-proxy` using standard ACME clients like certbot, acme.sh or cert-manager.io if you're using Kubernetes.
-2. `acme-proxy` presents cryptographic challenges to verify domain ownership
-3. Once validation succeeds, `acme-proxy` forwards the certificate signing request to your external CA using External Account Binding (EAB)
-4. The external CA signs the certificate
-5. `acme-proxy` retrieves the certificate bundle and returns it to your server
-
-![sequence diagram](docs/sequence.png)
-
 ## Quick Start
 
 ```sh
@@ -118,7 +114,6 @@ The most important parts of the config are -
       "account_email": "",
       "eab_kid": "",
       "eab_hmac_key": "",
-      "certlifetime": 30,
       "metrics": {
         "enabled": true,
         "port": 9234,

docs/content/troubleshoot.md

@@ -0,0 +1,5 @@
++++
+title = 'Troubleshoot'
+weight = 20
+BookToC = true
++++

docs/public/categories/index.html

@@ -136,6 +136,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -165,8 +167,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 

docs/public/client/index.html

@@ -22,12 +22,14 @@
 Table of Contents# Installing ACME Clients Account Registration Configuring Auto-Renewal via Systemd Log Management Installing ACME Clients# Certbot# Note: Certbot’s actively maintained distribution is via Snap. The .deb packages available in apt repositories are no longer maintained by the Certbot project and ship outdated versions.">
   <meta property="og:locale" content="en">
   <meta property="og:type" content="article">
+    <meta property="article:modified_time" content="2026-04-12T20:08:41-05:00">
 
 
   <meta itemprop="name" content="ACME Clients">
   <meta itemprop="description" content="ACME Clients# This guide covers installation and system-level configuration of ACME clients for use with acme-proxy. It is intended for system administrators deploying certificate automation on behalf of end users.
 For certificate issuance commands and per-scenario usage, see user.md.
 Table of Contents# Installing ACME Clients Account Registration Configuring Auto-Renewal via Systemd Log Management Installing ACME Clients# Certbot# Note: Certbot’s actively maintained distribution is via Snap. The .deb packages available in apt repositories are no longer maintained by the Certbot project and ship outdated versions.">
+  <meta itemprop="dateModified" content="2026-04-12T20:08:41-05:00">
   <meta itemprop="wordCount" content="843">
 
 <title>ACME Clients | ACME Proxy</title>
@@ -145,6 +147,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -174,8 +178,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 
@@ -478,6 +480,10 @@ <h2 id="log-management">Log Management<a class="anchor" href="#log-management">#
   <div class="flex flex-wrap justify-between">
 
 <div>
+<a class="flex align-center" href="https://github.com/esnet/acme-proxy/commit/bddb8b9e27907357bb040d99257d2cae683cb5bb" title='Last modified by Kapil Agrawal | April 12, 2026' target="_blank" rel="noopener">
+    <img src="/icons/calendar.svg" class="book-icon" alt="Calendar" />
+    <span>April 12, 2026</span>
+  </a>
 
 </div>
 

docs/public/firewall/index.html

@@ -16,9 +16,11 @@
   <meta property="og:title" content="Port Requirements">
   <meta property="og:locale" content="en">
   <meta property="og:type" content="article">
+    <meta property="article:modified_time" content="2026-04-12T20:08:41-05:00">
 
 
   <meta itemprop="name" content="Port Requirements">
+  <meta itemprop="dateModified" content="2026-04-12T20:08:41-05:00">
 
 <title>Port Requirements | ACME Proxy</title>
 <link rel="icon" href="/favicon.png" >
@@ -135,6 +137,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -164,8 +168,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 
@@ -224,6 +226,10 @@ <h3>Port Requirements</h3>
   <div class="flex flex-wrap justify-between">
 
 <div>
+<a class="flex align-center" href="https://github.com/esnet/acme-proxy/commit/bddb8b9e27907357bb040d99257d2cae683cb5bb" title='Last modified by Kapil Agrawal | April 12, 2026' target="_blank" rel="noopener">
+    <img src="/icons/calendar.svg" class="book-icon" alt="Calendar" />
+    <span>April 12, 2026</span>
+  </a>
 
 </div>
 

docs/public/index.html

@@ -29,6 +29,7 @@
   <meta itemprop="description" content="What is ACME Proxy?# acme-proxy is a standalone ACME server built on step-ca that operates in registration authority (RA) mode. It accepts certificate orders and validates certificate requests using the ACME protocol (RFC 8555), but does NOT sign certificates or store private keys.
 It runs as a standalone server inside your enterprise environment, acting as an intermediary between your internal infrastructure and an external certificate authority service (such as Sectigo).
 Certificate Request Flow:">
+  <meta itemprop="dateModified" content="2026-04-12T20:08:41-05:00">
   <meta itemprop="wordCount" content="141">
 
 <title>ACME Proxy | ACME Proxy</title>
@@ -147,6 +148,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -176,8 +179,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 
@@ -266,6 +267,10 @@ <h3>ACME Proxy</h3>
   <div class="flex flex-wrap justify-between">
 
 <div>
+<a class="flex align-center" href="https://github.com/esnet/acme-proxy/commit/bddb8b9e27907357bb040d99257d2cae683cb5bb" title='Last modified by Kapil Agrawal | April 12, 2026' target="_blank" rel="noopener">
+    <img src="/icons/calendar.svg" class="book-icon" alt="Calendar" />
+    <span>April 12, 2026</span>
+  </a>
 
 </div>
 

docs/public/index.xml

@@ -21,6 +21,13 @@
       <guid>http://localhost:1313/install/</guid>
       <description>&lt;h1 id=&#34;install&#34;&gt;Install&lt;a class=&#34;anchor&#34; href=&#34;#install&#34;&gt;#&lt;/a&gt;&lt;/h1&gt;&#xA;&lt;p&gt;Three methods are available. The install script is recommended for most deployments.&lt;/p&gt;&#xA;&lt;table&gt;&#xA;  &lt;thead&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;th&gt;Method&lt;/th&gt;&#xA;          &lt;th&gt;Best for&lt;/th&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/thead&gt;&#xA;  &lt;tbody&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;a href=&#34;#install-script-recommended&#34;&gt;Install script&lt;/a&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Standard Linux servers, systemd environments&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;a href=&#34;#pre-built-binary&#34;&gt;Pre-built binary&lt;/a&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Environments where curl-pipe-to-shell is prohibited&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;a href=&#34;#build-from-source&#34;&gt;Build from source&lt;/a&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Development, or architectures not covered by releases&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;      &lt;tr&gt;&#xA;          &lt;td&gt;&lt;a href=&#34;#docker&#34;&gt;Docker&lt;/a&gt;&lt;/td&gt;&#xA;          &lt;td&gt;Container-based deployments&lt;/td&gt;&#xA;      &lt;/tr&gt;&#xA;  &lt;/tbody&gt;&#xA;&lt;/table&gt;&#xA;&lt;hr&gt;&#xA;&lt;h2 id=&#34;install-script-recommended&#34;&gt;Install Script (Recommended)&lt;a class=&#34;anchor&#34; href=&#34;#install-script-recommended&#34;&gt;#&lt;/a&gt;&lt;/h2&gt;&#xA;&lt;p&gt;The install script downloads the appropriate release binary, creates a dedicated service user, installs a &lt;code&gt;ca.json&lt;/code&gt; template, and registers a hardened &lt;code&gt;systemd&lt;/code&gt; service unit.&lt;/p&gt;</description>
     </item>
+    <item>
+      <title>Troubleshoot</title>
+      <link>http://localhost:1313/troubleshoot/</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>http://localhost:1313/troubleshoot/</guid>
+      <description></description>
+    </item>
     <item>
       <title>User Guide</title>
       <link>http://localhost:1313/user/</link>
@@ -35,13 +42,6 @@
       <guid>http://localhost:1313/client/</guid>
       <description>&lt;h1 id=&#34;acme-clients&#34;&gt;ACME Clients&lt;a class=&#34;anchor&#34; href=&#34;#acme-clients&#34;&gt;#&lt;/a&gt;&lt;/h1&gt;&#xA;&lt;p&gt;This guide covers installation and system-level configuration of ACME clients for use with acme-proxy. It is intended for system administrators deploying certificate automation on behalf of end users.&lt;/p&gt;&#xA;&lt;p&gt;For certificate issuance commands and per-scenario usage, see &lt;a href=&#34;http://localhost:1313/user/&#34;&gt;user.md&lt;/a&gt;.&lt;/p&gt;&#xA;&lt;hr&gt;&#xA;&lt;h2 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;a class=&#34;anchor&#34; href=&#34;#table-of-contents&#34;&gt;#&lt;/a&gt;&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;&lt;a href=&#34;#installing-acme-clients&#34;&gt;Installing ACME Clients&lt;/a&gt;&lt;/li&gt;&#xA;&lt;li&gt;&lt;a href=&#34;#account-registration&#34;&gt;Account Registration&lt;/a&gt;&lt;/li&gt;&#xA;&lt;li&gt;&lt;a href=&#34;#configuring-auto-renewal-via-systemd&#34;&gt;Configuring Auto-Renewal via Systemd&lt;/a&gt;&lt;/li&gt;&#xA;&lt;li&gt;&lt;a href=&#34;#log-management&#34;&gt;Log Management&lt;/a&gt;&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;hr&gt;&#xA;&lt;h2 id=&#34;installing-acme-clients&#34;&gt;Installing ACME Clients&lt;a class=&#34;anchor&#34; href=&#34;#installing-acme-clients&#34;&gt;#&lt;/a&gt;&lt;/h2&gt;&#xA;&lt;h3 id=&#34;certbot&#34;&gt;Certbot&lt;a class=&#34;anchor&#34; href=&#34;#certbot&#34;&gt;#&lt;/a&gt;&lt;/h3&gt;&#xA;&lt;blockquote class=&#39;book-hint &#39;&gt;&#xA;&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Certbot&amp;rsquo;s actively maintained distribution is via Snap. The &lt;code&gt;.deb&lt;/code&gt; packages available in apt repositories are no longer maintained by the Certbot project and ship outdated versions.&lt;/p&gt;</description>
     </item>
-    <item>
-      <title>Examples</title>
-      <link>http://localhost:1313/examples/</link>
-      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
-      <guid>http://localhost:1313/examples/</guid>
-      <description></description>
-    </item>
     <item>
       <title>Port Requirements</title>
       <link>http://localhost:1313/firewall/</link>

docs/public/install/index.html

@@ -20,11 +20,13 @@
 Method Best for Install script Standard Linux servers, systemd environments Pre-built binary Environments where curl-pipe-to-shell is prohibited Build from source Development, or architectures not covered by releases Docker Container-based deployments Install Script (Recommended)# The install script downloads the appropriate release binary, creates a dedicated service user, installs a ca.json template, and registers a hardened systemd service unit.">
   <meta property="og:locale" content="en">
   <meta property="og:type" content="article">
+    <meta property="article:modified_time" content="2026-04-12T20:08:41-05:00">
 
 
   <meta itemprop="name" content="Install">
   <meta itemprop="description" content="Install# Three methods are available. The install script is recommended for most deployments.
 Method Best for Install script Standard Linux servers, systemd environments Pre-built binary Environments where curl-pipe-to-shell is prohibited Build from source Development, or architectures not covered by releases Docker Container-based deployments Install Script (Recommended)# The install script downloads the appropriate release binary, creates a dedicated service user, installs a ca.json template, and registers a hardened systemd service unit.">
+  <meta itemprop="dateModified" content="2026-04-12T20:08:41-05:00">
   <meta itemprop="wordCount" content="828">
 
 <title>Install | ACME Proxy</title>
@@ -142,6 +144,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -171,8 +175,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 
@@ -592,6 +594,10 @@ <h2 id="verify">Verify<a class="anchor" href="#verify">#</a></h2>
   <div class="flex flex-wrap justify-between">
 
 <div>
+<a class="flex align-center" href="https://github.com/esnet/acme-proxy/commit/bddb8b9e27907357bb040d99257d2cae683cb5bb" title='Last modified by Kapil Agrawal | April 12, 2026' target="_blank" rel="noopener">
+    <img src="/icons/calendar.svg" class="book-icon" alt="Calendar" />
+    <span>April 12, 2026</span>
+  </a>
 
 </div>
 

docs/public/quickstart/index.html

@@ -24,13 +24,15 @@
 Installs the step-ca binary to /opt/acme-proxy/ Writes a ca.json config template to /opt/acme-proxy/ca.json Creates a dedicated acme-proxy service user Registers and enables an acme-proxy.service systemd unit The service is enabled but not started — configure ca.json first.">
   <meta property="og:locale" content="en">
   <meta property="og:type" content="article">
+    <meta property="article:modified_time" content="2026-04-12T20:08:41-05:00">
 
 
   <meta itemprop="name" content="Quickstart">
   <meta itemprop="description" content="Quickstart# This is the fastest path to a running acme-proxy. It uses a one-line installer script that sets up the service with sane defaults, requires only five config fields, and is ready to issue certificates in under five minutes.
 For production deployments with custom install paths, build-from-source, or Docker, see install.md.
 Step 1 — Install# curl -fsSL https://raw.githubusercontent.com/esnet/acme-proxy/main/install.sh | sudo shThe script:
 Installs the step-ca binary to /opt/acme-proxy/ Writes a ca.json config template to /opt/acme-proxy/ca.json Creates a dedicated acme-proxy service user Registers and enables an acme-proxy.service systemd unit The service is enabled but not started — configure ca.json first.">
+  <meta itemprop="dateModified" content="2026-04-12T20:08:41-05:00">
   <meta itemprop="wordCount" content="568">
 
 <title>Quickstart | ACME Proxy</title>
@@ -148,6 +150,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -177,8 +181,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>
 
 
@@ -396,6 +398,10 @@ <h2 id="next-steps">Next Steps<a class="anchor" href="#next-steps">#</a></h2>
   <div class="flex flex-wrap justify-between">
 
 <div>
+<a class="flex align-center" href="https://github.com/esnet/acme-proxy/commit/bddb8b9e27907357bb040d99257d2cae683cb5bb" title='Last modified by Kapil Agrawal | April 12, 2026' target="_blank" rel="noopener">
+    <img src="/icons/calendar.svg" class="book-icon" alt="Calendar" />
+    <span>April 12, 2026</span>
+  </a>
 
 </div>
 

docs/public/sitemap.xml

@@ -3,18 +3,24 @@
   xmlns:xhtml="http://www.w3.org/1999/xhtml">
   <url>
     <loc>http://localhost:1313/quickstart/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
   </url><url>
     <loc>http://localhost:1313/install/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
+  </url><url>
+    <loc>http://localhost:1313/troubleshoot/</loc>
   </url><url>
     <loc>http://localhost:1313/user/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
   </url><url>
     <loc>http://localhost:1313/client/</loc>
-  </url><url>
-    <loc>http://localhost:1313/examples/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
   </url><url>
     <loc>http://localhost:1313/firewall/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
   </url><url>
     <loc>http://localhost:1313/</loc>
+    <lastmod>2026-04-12T20:08:41-05:00</lastmod>
   </url><url>
     <loc>http://localhost:1313/categories/</loc>
   </url><url>

docs/public/sw.js

@@ -3,9 +3,9 @@ const pages = [
 
   "/quickstart/",
   "/install/",
+  "/troubleshoot/",
   "/user/",
   "/client/",
-  "/examples/",
   "/firewall/",
   "/",
   "/categories/",

docs/public/tags/index.html

@@ -136,6 +136,8 @@ <h2 class="book-brand">
 
 
 
+
+
         <li>
 
 
@@ -165,8 +167,6 @@ <h2 class="book-brand">
 
 
 
-
-
   </ul>