ACME Overview

Rate Limits

ACME providers such as Let’s Encrypt often enforce rate limitations when using production validation systems.

Specifically, rate limits imposed by Let’s Encrypt include:

  • Five validation failures per account, per hostname, per hour

  • Each certificate may have at most 100 SAN entries

  • Only 50 certificates may be created per domain per week

Some providers offer a test validation system for administrators testing their settings or developers who are programming clients. Test systems typically have higher limits, which aid testing and development, but the test system does not produce certificates which are trusted publicly.

Note

Other providers may have different rate limits. Some providers do not offer staging servers, only production servers.

Security Limitations

When ACME validates a certificate using a method such as webroot or standalone, the service must be available to the Internet on its standard port: 80 for HTTP or 443 for TLS-ALPN. This is a security limitation to prevent a user from running an alternate web server on a high-numbered port and obtaining a certificate for a server they do not normally control.

Validation Process

When creating a certificate, add one or more Subject Alternative Names (SANs) to the SAN list for the certificate. Typically, these are fully qualified domain names (FQDNs), but a CA may offer other options, such as IP addresses. Let’s Encrypt will attempt to validate each SAN entry in different ways depending on the validation method.

When a validation method starts, the client obtains an authorization value from the server (“authz”).

For DNS-based methods of validating FQDN SANs, Let’s Encrypt checks for a TXT record in the form of _acme-challenge.<domain name> which must contain the authorization value. This proves that the entity requesting the certificate controls DNS records for the domain.

For file-based methods such as webroot or standalone, Let’s Encrypt connects to an IP address obtained by resolving the A record for the FQDN and requests a file from the web server at .well-known/acme-challenge/ underneath the webroot directory. This file contains the authorization value. This proves that the person or system requesting the certificate controls web server for the domain name.

Note

ACME providers often do not publish which IP addresses or address families they use when performing validation. As such, the port must be accessible to any client on the Internet which can resolve the hostname during the validation process.