Skip to content
QCecuring

ACME / Let's Encrypt

ACME / Let’s Encrypt Integration

Section titled “ACME / Let’s Encrypt Integration”

SSL-CLM integrates with ACME-compatible CAs including Let’s Encrypt, Google Trust Services, and ZeroSSL for automated certificate issuance.

Architecture

Section titled “Architecture”
SSL-CLM Platform (ACME Client)
│ (ACME Protocol over HTTPS)
ACME CA (Let's Encrypt / Google Trust Services / ZeroSSL)
│ (Domain Validation Challenge)
Your Domain (HTTP-01 / DNS-01 / TLS-ALPN-01)

Step 1 — Create ACME Connector

Section titled “Step 1 — Create ACME Connector”

Navigate to:

Configuration → Connector Configs → New Connector

Configure:

  • Vendor: ACME
  • ACME Directory URL: https://acme-v02.api.letsencrypt.org/directory
  • Email: admin@example.com

For staging/testing, use:

https://acme-staging-v02.api.letsencrypt.org/directory

Step 2 — Create Certificate Authority Instance

Section titled “Step 2 — Create Certificate Authority Instance”

Navigate to:

Discovery → Certificate Authorities → New Certificate Authority
  • Type: ACME
  • Connector: Select the ACME connector created above

Step 3 — Configure Domain Validation

Section titled “Step 3 — Configure Domain Validation”

HTTP-01 Challenge

Section titled “HTTP-01 Challenge”

The agent serves the challenge token on port 80:

http://example.com/.well-known/acme-challenge/{token}

Requires port 80 accessible from the internet.

DNS-01 Challenge

Section titled “DNS-01 Challenge”

SSL-CLM creates a TXT record:

_acme-challenge.example.com → {token}

Requires DNS API integration (Route53, Cloudflare, etc.).

TLS-ALPN-01 Challenge

Section titled “TLS-ALPN-01 Challenge”

The agent responds on port 443 with a self-signed certificate containing the challenge.

Step 4 — Enroll Certificate

Section titled “Step 4 — Enroll Certificate”

Submit a certificate enrollment request:

  • Domain: example.com
  • SANs: www.example.com (optional)
  • Validation: HTTP-01 or DNS-01

SSL-CLM handles the ACME flow automatically:

  1. Create order
  2. Complete challenge
  3. Finalize order
  4. Download certificate

Automated Renewal

Section titled “Automated Renewal”

Let’s Encrypt certificates are valid for 90 days. SSL-CLM automatically renews them:

  • Default renewal: 30 days before expiry
  • Same validation method as initial issuance
  • Zero-downtime deployment via agent

Rate Limits

Section titled “Rate Limits”

Let’s Encrypt enforces rate limits:

LimitValue
Certificates per domain50 per week
Duplicate certificates5 per week
Failed validations5 per hour
New orders300 per 3 hours

Use staging for testing to avoid hitting production limits.