ACME (Automated Certificate Management Environment) is the protocol that makes free, automated SSL certificates possible. It’s how Let’s Encrypt — and your ACME client (GetHTTPS, Certbot, acme.sh) — actually communicates with the Certificate Authority.
Defined in RFC 8555, ACME replaced the old manual process (email CSRs to a CA, wait for human review) with a fully automated, cryptographically secure protocol.
How ACME works — the 5 steps
┌──────────┐ ┌──────────────┐
│ Client │ ① Account Registration │ CA Server │
│ (GetHTTPS)│ ──────────────────────────→ │ (Let's Encrypt)
│ │ ② New Order (domains) │ │
│ │ ──────────────────────────→ │ │
│ │ ③ Complete Challenges │ │
│ │ ←─────────────────────────── │ │
│ │ ──────────────────────────→ │ │
│ │ ④ Finalize (send CSR) │ │
│ │ ──────────────────────────→ │ │
│ │ ⑤ Download Certificate │ │
│ │ ←─────────────────────────── │ │
└──────────┘ └──────────────┘Step 1: Account registration
The client generates an ACME account key pair and registers the public key with the CA. This key identifies you in future requests — every ACME message is signed with it.
No email, no password, no personal information required.
Step 2: New order
The client submits a list of domain names it wants a certificate for. The CA creates an “order” and returns a set of “authorizations” — one per domain — each with challenges to complete.
Step 3: Complete challenges
For each domain, the client must prove control. The CA offers challenge types:
| Challenge | How it works | Use case |
|---|---|---|
| HTTP-01 | Place a file at /.well-known/acme-challenge/ | Most common, simplest |
| DNS-01 | Add a TXT record to _acme-challenge.domain | Wildcards, no port 80 |
| TLS-ALPN-01 | Respond on port 443 with a special TLS certificate | When port 80 is blocked, no DNS access |
The client completes the challenge, then tells the CA to verify. The CA checks from its servers — if the challenge passes, the authorization is marked as valid.
Step 4: Finalize (send CSR)
After all domains are authorized, the client sends a CSR (Certificate Signing Request) containing the public key for the certificate. The CA signs it and creates the certificate.
Step 5: Download certificate
The client downloads the signed certificate chain — your certificate + the intermediate CA certificate. Done.
ACME security model
Every ACME request is signed with JWS (JSON Web Signature) using the account key. This prevents:
- Replay attacks — each request has a unique nonce
- Tampering — the signature covers the entire request body
- Impersonation — only the account key holder can make requests
The account key never leaves the client. With GetHTTPS, it’s generated in your browser via the Web Crypto API.
How GetHTTPS uses ACME
GetHTTPS implements the full ACME protocol in JavaScript running in your browser:
- Account key generated with
crypto.subtle.generateKey()(Web Crypto API) - Certificate key generated the same way
- ACME messages signed with
crypto.subtle.sign() - CSR built with the pkijs library
- Direct HTTPS communication with
acme-v02.api.letsencrypt.org
No server-side proxy, no middleware. Your browser talks directly to Let’s Encrypt’s ACME API. This is unique — most ACME clients run on a server.
ACME clients compared
| Client | Runs in | ACME v2 | Auto-renewal | Language |
|---|---|---|---|---|
| GetHTTPS | Browser | ✅ | ❌ Manual | JavaScript |
| Certbot | Server CLI | ✅ | ✅ | Python |
| acme.sh | Server CLI | ✅ | ✅ | Shell |
| Caddy | Web server | ✅ | ✅ | Go |
| Traefik | Reverse proxy | ✅ | ✅ | Go |
| Lego | CLI library | ✅ | ✅ | Go |
CAs that support ACME
ACME was created by Let’s Encrypt but is now an open standard used by multiple CAs:
| CA | ACME directory URL | Free? |
|---|---|---|
| Let’s Encrypt | acme-v02.api.letsencrypt.org/directory | ✅ |
| ZeroSSL | acme.zerossl.com/v2/DV90 | Limited free |
| Buypass | api.buypass.com/acme/directory | ✅ |
| Google Trust Services | Via Google Cloud ACME | ✅ |
| DigiCert | Enterprise ACME endpoint | Paid |
| Sectigo | Enterprise ACME endpoint | Paid |
Frequently asked questions
Is ACME the same as Let’s Encrypt?
No. ACME is the protocol (RFC 8555). Let’s Encrypt is a Certificate Authority that uses ACME. Other CAs (ZeroSSL, Buypass, Google) also support ACME. Think of it like HTTP vs Google — HTTP is the protocol, Google is a service that uses it.
Can I implement my own ACME client?
Yes. The protocol is fully specified in RFC 8555. GetHTTPS is an example of a browser-based implementation. Libraries exist for most languages (certbot for Python, lego for Go, acme.js for JavaScript).
What is ACME v2?
ACME v2 is the current version (RFC 8555), which added wildcard certificate support and replaced the draft v1 protocol. All modern ACME clients use v2. Let’s Encrypt shut down the v1 endpoint in 2021.
What happens if the ACME server is down?
Existing certificates continue working (they don’t phone home). You just can’t issue or renew until the server recovers. Let’s Encrypt has high uptime and redundant infrastructure.