ACME and Let's Encrypt: Automatic Certificates
ACME (Automatic Certificate Management Environment, RFC 8555) is the protocol that lets a server prove control of a domain and obtain a certificate without any human steps. Let's Encrypt popularized it; many CAs now support it.
How a certificate is issued
- Your ACME client (certbot, acme.sh, Caddy, etc.) creates an account and a key.
- It asks the CA for a certificate and receives a challenge.
- It proves control by completing the challenge.
- The CA validates and issues; the client installs and schedules renewal.
HTTP-01 vs DNS-01
| Challenge | How you prove control | Best for |
|---|---|---|
| HTTP-01 | Serve a token at /.well-known/acme-challenge/… over port 80 |
Single web servers |
| DNS-01 | Publish a _acme-challenge TXT record |
Wildcards, servers not exposed on 80 |
DNS-01 is the only way to get a wildcard certificate and works even when the host is not publicly reachable on port 80.
Where paid certificates still fit
ACME issues Domain Validated (DV) certificates. If you need Organization Validation (OV) or Extended Validation (EV) — common for finance, e-commerce trust, or contractual requirements — a commercial certificate is the right tool. See affordable SSL certificates by Slogical.
Automate renewal regardless, and verify the result with our SSL/TLS checker. Background: checking certificate expiry.
Note: Always renew before ~⅓ of the lifetime remains. Let's Encrypt certificates last 90 days; renew at day 60.