ACME Protocol - SSL Automation

The protocol behind certificate automation.

ACME (Automatic Certificate Management Environment) is the protocol that enables complete automation of the SSL certificate lifecycle. It's thanks to ACME that Let's Encrypt can deliver millions of certificates automatically.

Understanding ACME allows you to better debug renewal issues and choose the right client for your infrastructure.

This guide covers how ACME works and the different validation methods available.

How ACME Works

Key protocol concepts:

  • Automation: the entire process is automated via APIs, without human intervention.
  • Challenges: you prove domain ownership via HTTP-01, DNS-01, or TLS-ALPN-01.
  • ACME Client: software that communicates with the ACME server (Certbot, acme.sh, etc.).
  • ACME Account: a key pair identifying your client to the CA.

ACME Benefits

Why ACME revolutionized SSL:

  • Zero intervention: certificates are obtained and renewed automatically.
  • Free: Let's Encrypt offers free certificates thanks to automation.
  • Fast: a certificate can be issued in seconds.
  • Standard: standardized protocol (RFC 8555), supported by multiple CAs.

Validation Process

How ACME validates domain ownership:

  1. Request: the client requests a certificate for a domain.
  2. Challenge: the ACME server proposes one or more challenges.
  3. Response: the client responds to the challenge (HTTP file, DNS record, etc.).
  4. Issuance: after verification, the certificate is issued.

Challenge Types

The three ACME validation methods:

# HTTP-01: file on web server
# Client creates: /.well-known/acme-challenge/<TOKEN>
# Containing: <TOKEN>.<THUMBPRINT>

# DNS-01: TXT record in DNS
# Create: _acme-challenge.example.com TXT "<RESPONSE>"
# Ideal for wildcards

# TLS-ALPN-01: temporary certificate
# Presents a special certificate on port 443
# Requires direct access to port 443

HTTP-01 is simplest, DNS-01 allows wildcards and TLS-ALPN-01 avoids exposing port 80.

ACME Best Practices

Optimize your automation:

  • Choose the right challenge: HTTP-01 for standard websites, DNS-01 for wildcards.
  • Automate renewal: configure a cron to renew before expiration.
  • Test in staging: use Let's Encrypt's staging server for tests.
  • Monitor expirations: even automated, monitor with MoniTao in case of failure.

ACME Checklist

  • ACME client installed (Certbot, acme.sh)
  • Challenge chosen and configured
  • Certificate successfully obtained
  • Renewal cron configured
  • Renewal test performed
  • Expiration monitoring active

Frequently Asked Questions

Which ACME client should I choose?

Certbot is most popular. acme.sh is lighter and more portable.

HTTP-01 or DNS-01?

HTTP-01 is simpler. DNS-01 is necessary for wildcards.

Why is my renewal failing?

Check that the challenge is accessible. Often a firewall or configuration issue.

Is Let's Encrypt the only one?

No, other CAs support ACME: ZeroSSL, Buypass, Google Trust Services.

Can I use ACME without Let's Encrypt?

Yes, the protocol is standardized and other CAs support it.

What is rate limiting?

Let's Encrypt limits certificates per domain per week to prevent abuse.

ACME: The Future of SSL

The ACME protocol democratized HTTPS by making certificates free and automatic. Master it for friction-free infrastructure.

Even with ACME automation, monitor your certificates with MoniTao to be alerted in case of renewal failure.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing