ACME is what facilitates Let’s Encrypt’s entire business model, allowing it to issue 90-day domain validated SSL certificates that can be renewed and replaced without website owners ever having to lift a finger.
If you love to know internals behind this, then this document is for you.
Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. ACME describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance.
Certificates issued by public ACME servers are typically trusted by client’s computers by default. This means that, for example, visiting a website that is backed by an ACME certificate issued for that URL, will be trusted by default by most client’s web browsers
ACME certificates are typically free
To get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain by accomplishing certain challenges. A challenge is one among a list of specified tasks that only someone who controls the domain can accomplish.
The CA sends your ACME agent a token to install on the server.
The agent creates a file that contains said token along with a thumbprint of the authorization key that was generated during setup.
Once the file is installed, the agent informs the CA, which tries to retrieve it.
This challenge requires your ACME agent to place a given value in a TXT record in your domain’s DNS space.
Like with HTTP challenges, the CA provides the agent a token, which is concatenated with the thumbprint of the authorization key to create the TXT file.
Once the agent notifies the CA that the challenge has been met, the CA attempts to make a DNS lookup and retrieve the TXT record.
The agent generates a CSR for the domain
The agent signs the public key generated alongside the CSR with the corresponding private key
The agent signs the whole CSR with its own private key (the authorization key generated during initial configuration)
The CA verifies both signatures and issues the certificate
The agent receives the certificate and installs it on the relevant domain
ACME is ideal for Kubernetes environment since it provides automated way to provision and renewal of certificates. Below are steps required in ingress flow(needed for channeling traffic between public ACME server with agent).
For ACME challenge, cert-manager creates a temporary Ingress resource to route the Let's Encrypt CA generated traffic to cert-manager pods.
On successful validations of the domain, this temporary Ingress is deleted.
Lets Encrypt acts as ACME server.
The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
Step-CA helps in this. Refer here for detail.
https://cert-manager.io/docs/configuration/acme/
https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/certificate-management/acme/
https://www.thesslstore.com/blog/acme-protocol-what-it-is-and-how-it-works/
https://tools.ietf.org/html/rfc8555
https://letsencrypt.org/how-it-works/
https://images.app.goo.gl/cJn5HmXuNYn7LLHu5
https://smallstep.com/blog/private-acme-server/