crypto:trust:acme

About

ACME ¹⁾ is a protocol that automates the issuance of domain validated certificate by a certification authority (CA) to an applicant.

ACME is simple (It has almost been implemented in pure Bourne shell).

Flow

* The first step of the ACME protocol is for the client to register with the ACME server. This phase includes generating an asymmetric key pair which is then associated with the email address specified. The email is commonly used to send expiry notices when the certificates are coming up for renewal.

Challenge

ACME challenges ²⁾ are intended to verify your ownership of a domain.

There are mainly three (excluding preauthorization) where you need to set a token.

Challenge	Description	Secure
tls-http-01 ³⁾	Token under /.well-known/acme-challenge and serve it on 80/tcp
tls-dns-01	Token to put in a TXT record in the DNS zone
tns-sni-01	Token to embed in the SAN of a certificate you serve to TLS clients who request it through TLS SNI	No, due to shared hosting ⁴⁾
tls-alpn-01	Custom ALPN protocol via TLS on port 443 (mostly used by proxy and only for individual hostnames)	Yes

TLS-ALPN-01

TLS-ALPN-01 is a custom standard Rfc 8737 that replaces the TLS-SNI challenge.

It's used by proxy to issue certificate for their users (ie CDN such as Fly.io or Cloudflare)

It's performed via TLS on port 443 and a custom ALPN protocol, only for individual hostnames.

It's supportted by:
- Traefik
- Caddy.
It's not supported by Certbot, Apache, Nginx ⁵⁾

TLS-DNS-01 (or DNS01)

With a DNS01 challenge, you prove ownership of a domain by proving you control its DNS records. This is done by creating a TXT record with specific content that proves you have control of the domains DNS records.

⁶⁾ ⁷⁾

TLS-HTTP-01 (or HTTPS01)

With a HTTP01 challenge, you prove ownership of a domain by proving that you control the HTTP server at this domain.

This is done by creating a file with a specific content at a specific path.

http://domain.example.com/.well-known/acme-challenge/token

Example: If the request to this given path, returns 200 with the requested content

http://domain.example.com/.well-known/acme-challenge/I7z8Aot9si-2IUaf4W_Vhu98B3oYSg3-n8wYDq6J7s4

Client

ACME / Let's encrypt client:

Caddy Web Server
Certbot
Lego cli
Acme4J
acme-tiny - A tiny script to issue and renew TLS certs from Let's Encrypt
ACME.sh
Kubernetes Cert Manager
Traefik Proxy

Test

To issue fake test certificates instead of real ones from Let's Encrypt's, see the staging environment

¹⁾

RFC855 - ACME Specification

²⁾

Challenge

³⁾

http-01 (port 80)

⁴⁾

the-story-of-tls-sni-01 How I exploited ACME TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain using shared hosting

⁵⁾

https://letsencrypt.org/docs/challenge-types/#tls-alpn-01

⁶⁾

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

⁷⁾

Dns-01

Table of Contents

What is ACME? Automatic Certificate Management Environment

About

Flow

Challenge

TLS-ALPN-01

TLS-DNS-01 (or DNS01)

TLS-HTTP-01 (or HTTPS01)

Client

Test