What is ACME? Automatic Certificate Management Environment
About
ACME 1) is a protocol that automates the issuance of domain validated certificate by a certification authority (CA) to an applicant.
ACME is simple (It has almost been implemented in pure Bourne shell).
Challenge
ACME challenges 2) are intended to verify your ownership of a domain.
There are mainly three (excluding preauthorization) where you need to set a token.
Challenge | Description | Secure |
---|---|---|
tls-http-01 3) | Token under /.well-known/acme-challenge and serve it on 80/tcp | |
tls-dns-01 4) | Token to put in a TXT record in the DNS zone | |
tns-sni-01 | Token to embed in the SAN of a certificate you serve to TLS clients who request it through TLS SNI | No, due to shared hosting 5) |
tls-alpn-01 | Custom ALPN protocol via TLS on port 443 (mostly used by proxy and only for individual hostnames) | Yes |
TLS-ALPN-01
TLS-ALPN-01 is a custom standard Rfc 8737 that replaces the TLS-SNI challenge.
It's used by proxy to issue certificate for their users (ie CDN such as Fly.io or Cloudflare)
It's performed via TLS on port 443 and a custom ALPN protocol, only for individual hostnames.
- It's not supported by Certbot, Apache, Nginx 6)
Client
ACME / Let's encrypt client:
- Caddy Web Server
- acme-tiny - A tiny script to issue and renew TLS certs from Let's Encrypt
Test
To issue fake test certificates instead of real ones from Let's Encrypt's, see the staging environment