ACME 1) is a protocol that automates the issuance of domain validated certificate by a certification authority (CA) to an applicant.
ACME is simple (It has almost been implemented in pure Bourne shell).
ACME challenges 2) are intended to verify your ownership of a domain.
There are mainly three (excluding preauthorization) where you need to set a token.
| Challenge | Description | Secure |
|---|---|---|
| tls-http-01 3) | Token under /.well-known/acme-challenge and serve it on 80/tcp | |
| tls-dns-01 4) | Token to put in a TXT record in the DNS zone | |
| tns-sni-01 | Token to embed in the SAN of a certificate you serve to TLS clients who request it through TLS SNI | No, due to shared hosting 5) |
| tls-alpn-01 | Custom ALPN protocol via TLS on port 443 (mostly used by proxy and only for individual hostnames) | Yes |
TLS-ALPN-01 is a custom standard Rfc 8737 that replaces the TLS-SNI challenge.
It's used by proxy to issue certificate for their users (ie CDN such as Fly.io or Cloudflare)
It's performed via TLS on port 443 and a custom ALPN protocol, only for individual hostnames.
ACME / Let's encrypt client:
To issue fake test certificates instead of real ones from Let's Encrypt's, see the staging environment