Automating Certificate Issuance and Renewal with ACME

Certificates keep getting shorter — a 90-day lifetime is now the norm, and shorter still is coming. Renewing by hand every three months across dozens of endpoints is a guarantee that something will expire at the worst possible time. The ACME protocol fixes this by turning issuance and renewal into an API operation. Here is how it works, and which client to choose.

Short answer

ACME (Automatic Certificate Management Environment, RFC 8555) is the protocol Let's Encrypt and other CAs use to issue certificates with no human in the loop. An ACME client proves you control a domain — via an HTTP-01 or DNS-01 challenge — and then has a certificate issued automatically. The same client renews it again before expiry. With 90-day lifetimes, automation is no longer a luxury but a prerequisite for operations.

Why automation is now mandatory

Public certificate lifetimes have dropped from years to 90 days, and the CA/Browser Forum has agreed a path towards 47 days. A certificate that must be renewed every 90 (or 47) days, across all of your endpoints, cannot be handled in a spreadsheet. Automating with ACME means renewal happens by itself, long before the certificate expires — and a human slip can no longer take down production.

The two challenge types

Challenge	How control is proven	Wildcard?
HTTP-01	The CA fetches a token at `http://domain/.well-known/acme-challenge/<token>`	No
DNS-01	You create a `_acme-challenge` TXT record with a validation value	Yes

HTTP-01 is simplest when the server is publicly reachable on port 80. DNS-01 is the only one that can issue wildcard certificates, and it also works for internal servers with no public HTTP.

certbot — the Linux standard

certbot is the most widely used client. For nginx with automatic configuration:

# Issue and configure nginx in one operation (HTTP-01)
sudo certbot --nginx -d example.com -d www.example.com

# Only issue the certificate, do not touch the configuration (webroot)
sudo certbot certonly --webroot -w /var/www/html \
  -d example.com -d www.example.com

# Wildcard requires DNS-01
sudo certbot certonly --manual --preferred-challenges dns \
  -d "*.example.com" -d example.com

certbot installs a systemd timer that runs certbot renew daily. Renewal happens automatically once fewer than 30 days remain. Test that renewal works without actually renewing:

sudo certbot renew --dry-run

win-acme — Windows and IIS

On Windows, win-acme (wacs) is the standard choice. It binds the certificate directly in IIS and creates a Scheduled Task for renewal:

# Interactive wizard
wacs.exe

# Unattended: all IIS bindings, automatic renewal
wacs.exe --target iis --siteid 1 \
  --installation iis --store certificatestore

win-acme manages the Windows certificate store itself and restarts/reloads IIS so the renewed certificate is picked up.

lego — one binary, many DNS providers

lego is a single dependency-free Go binary, strong on DNS-01 with over 100 built-in DNS providers. Well suited to CI/CD and scripts:

# DNS-01 via Cloudflare, including wildcard
CF_DNS_API_TOKEN="..." lego \
  --email ops@example.com \
  --dns cloudflare \
  --domains "*.example.com" --domains example.com \
  run

# Renew (only if fewer than 30 days remain)
lego ... renew --days 30

cert-manager — automation in Kubernetes

In Kubernetes you hand the entire lifecycle to cert-manager. You define a ClusterIssuer and a Certificate, and the controller issues, stores in a Secret and renews automatically:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@example.com
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - http01:
          ingress:
            class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-tls
  namespace: web
spec:
  secretName: example-tls
  dnsNames:
    - example.com
    - www.example.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

We have a dedicated walkthrough of cert-manager and its resource types.

Test against staging — and watch the rate limits

Let's Encrypt enforces rate limits (including a cap on certificates per domain per week). An automation that fails in a loop can hit the cap quickly and lock you out for hours. Always test against the staging environment first — it issues untrusted certificates without counting against your rate limits. With certbot use --staging; with cert-manager point the ClusterIssuer at acme-staging-v02. Switch to production only once the flow works. An ACME client also retries renewal automatically on transient failures — but only while it is still running and can reach the challenge endpoint.

What automation does not solve

Even perfect automation can fail silently: a webroot that is no longer reachable, a DNS provider whose API token has changed, a service that was not reloaded after renewal, or a certificate that gets issued but is served without the full chain. In all of these cases the automation thinks it succeeded while users see an error. See also the guides to the common TLS setup on nginx and Apache, where decryption happens with offloading, passthrough and bridging, and platform-specific setups on Azure and F5 BIG-IP.

CertControl: the safety net under your automation

ACME automates issuance — but someone still has to notice when the automation fails silently. CertControl scans your endpoints from the outside, confirms that the renewed certificate is actually served, that the full chain is present, that protocols and cipher suites are strong — and warns you in good time if a certificate approaches expiry without having been renewed. That catches exactly the cases where automation believed it had succeeded.

Frequently asked questions

What is ACME?

ACME (RFC 8555) is a standardised protocol for issuing and renewing TLS certificates automatically. An ACME client proves domain control via an HTTP-01 or DNS-01 challenge, and the CA then issues the certificate with no manual involvement.

What is the difference between HTTP-01 and DNS-01?

HTTP-01 proves control by having the CA fetch a token over HTTP on your domain — simple, but it cannot issue wildcards. DNS-01 proves control via a TXT record and is the only one that can issue wildcard certificates and work for internal servers.

Which ACME client should I choose?

certbot for Linux/nginx/Apache, win-acme for Windows/IIS, lego for CI/CD and DNS-01 with many providers, and cert-manager for Kubernetes. They all speak the same ACME protocol to the same CAs.

Can I issue wildcard certificates with ACME?

Yes, but only via the DNS-01 challenge. HTTP-01 cannot issue wildcards because it can only validate one specific hostname at a time.

Do ACME clients renew automatically?

Yes. certbot and win-acme install a timer and a Scheduled Task respectively, lego is typically run from cron/CI, and cert-manager renews as part of its reconcile loop. Renewal usually happens once about a third of the lifetime remains.

What happens if renewal fails?

The client retries on its next run, but if the cause is persistent (a changed DNS token, a closed port 80, a moved webroot) the certificate eventually expires. That is why automation should always be paired with independent monitoring of what is actually served.

See the platform Book a demo

Automate certificates with ACME