Let's Encrypt updates certificate automation, adds splats

ACME v2 and Wildcard Certificates now live

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system.

Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate.

ACME is the automation standard Let's Encrypt first wrote. It's described here (the proposed version is in its tenth edit).

Written with input from Let's Encrypt, Cisco, the EFF and the University of Michigan, the ACME v2 document says the manual certificate application process looks like this:

  • Create the certificate signing request (CSR) and paste it into a certificate authority's (CA's) Web page;
  • Prove domain ownership by answering a challenge from the CA (either on its Web page, in a DNS record, or via e-mail to an admin at the CA); and
  • Download and install the certificate.

ACME is designed to get rid of the “out-of-band” human interaction in the process, so that getting a CA-provided certificate is “nearly as easy to deploy … as with a self-signed certificate”, the standard says.

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*


It uses JSON messages over HTTPS to carry the certificate action requests. Once a user has registered an ACME account, there are four steps to get a certificate: submit the order, prove you control the domain (the standard supports a number of challenge-response formats for this), submit a CSR, and download the issued certificate.

To use ACME for certificate automation, you need a compatible client. As well as Let's Encrypt's recommended Certbot, there's a list of another 70-plus clients plus libraries for nine languages here.

The automated process is rate-limited under existing Let's Encrypt rules, with an additional constraint. Applicants using the organisation's ACME v2 endpoint are throttled to 300 new orders per three hours.

Josh Aas of the Internet Security Research Group announced the feature here, and noted that ACME support is needed for the second Let's Encrypt feature announcement, Wildcard Certificates, which were expected in January.

For non-CA experts: Wildcard Certificates apply one certificate to multiple subdomains under a master domain. That way, if you needed to secure blogs.foo.com, images.foo.com, news.foo.com and www.foo.com with HTTPS, you can use a single certificate for all of them.

The DNS-01 challenge format secures wildcard applications, meaning admins will have to edit a DNS record to prove they have the right to request the certificate.

As this post explained, the ACME v2 RFC is still undergoing edits: “We intend to make our v2 endpoint implement the final ACME RFC, so there may be some further small changes, which we will pre-announce in the same API Announcements category as this post. We aim to keep these changes to a minimum”. ®

Biting the hand that feeds IT © 1998–2021