SSL & HTTPS Guides

Automating Certificate Renewal with ACME

Learn how ACME automates SSL certificate issuance and renewal, how domain validation works, and how to prevent renewal failures.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Advanced

Introduction

ACME, or Automated Certificate Management Environment, is the protocol used by certificate authorities and ACME clients to issue and renew SSL/TLS certificates automatically. Let’s Encrypt is the best-known ACME certificate authority, but ACME is also supported by other providers and tools.

A good ACME setup does more than request a certificate. It validates domain control, issues or renews the certificate, installs it on the active service, reloads the server or proxy, and checks that the public website is serving the new certificate.

Quick answer

Quick answer

ACME automates SSL certificate renewal by proving domain control, requesting a new certificate, installing it and reloading the service. The most common validation methods are HTTP-01, DNS-01 and TLS-ALPN-01. Renewal should be tested with a dry run and monitored before expiry.

What is ACME?

ACME stands for Automated Certificate Management Environment. It is a protocol that allows software to request, validate, issue and renew SSL/TLS certificates automatically.

  • Certbot
  • acme.sh
  • lego
  • win-acme
  • Caddy automatic HTTPS
  • Traefik ACME
  • Hosting AutoSSL integrations

ACME is the automation layer. The certificate still needs to be installed on the system that actually serves HTTPS.

How renewal works

  1. ACME client checks certificate expiry.
  2. Client requests renewal from the certificate authority.
  3. CA asks the client to prove domain control.
  4. Client completes a validation challenge.
  5. CA issues the renewed certificate.
  6. Client stores or installs the certificate.
  7. Web server, proxy or service reloads.
  8. Public hostname serves the renewed certificate.

If any step fails, the certificate may expire even though automation exists.

Validation methods

HTTP-01

  • How it works: The CA checks a temporary file under /.well-known/acme-challenge/.
  • Best for: Normal websites with public HTTP access.
  • Common failure: Port 80 blocked, wrong DNS, redirects or webroot mismatch.

DNS-01

  • How it works: The CA checks a DNS TXT record.
  • Best for: Wildcard certificates, private origins and advanced setups.
  • Common failure: DNS API credentials fail, wrong DNS provider or slow propagation.

TLS-ALPN-01

  • How it works: The CA validates over port 443 using a special TLS response.
  • Best for: Some automated server setups.
  • Common failure: Port 443 blocked, proxy conflict or unsupported server configuration.

Wildcard certificates usually require DNS-01 validation.

Deployment hooks

An ACME client can renew a certificate, but the renewed certificate must also be deployed to the active service.

  • Copying certificate files
  • Updating a control panel
  • Reloading Nginx, Apache or LiteSpeed
  • Restarting a mail service
  • Updating a reverse proxy
  • Updating a load balancer
  • Uploading to a CDN
  • Running a deploy hook

A common failure is successful renewal without deployment to the public endpoint.

HTTP-01 checklist

  • Domain points to the ACME client server
  • Port 80 is reachable
  • /.well-known/acme-challenge/ is not blocked
  • Redirects do not break validation
  • CDN or proxy allows validation requests
  • Webroot path is correct
  • Security rules do not block the CA
  • CAA allows the issuing CA
  • Renewal job runs on schedule

HTTP-01 is simple when the website is public and DNS points directly to the validating server.

DNS-01 checklist

  • DNS provider API credentials are valid
  • Credentials have permission to edit TXT records
  • Correct DNS zone is selected
  • Propagation timing is configured
  • Wildcard and root names are handled correctly
  • Old challenge records are cleaned up
  • CAA allows the issuing CA
  • Secrets are stored securely
  • Renewal dry run passes

DNS-01 is powerful but depends heavily on reliable DNS API access.

Why this matters

Why this matters

ACME automation matters because certificates expire regularly. Manual renewal creates unnecessary outage risk, while proper automation can renew certificates before users ever see a warning.

But automation must be monitored. A broken renewal job, changed DNS, expired API token or CDN mismatch can silently turn into an SSL outage weeks later.

How to check automation

Use SSL Checker to confirm the public certificate and your ACME client logs to confirm renewal automation.

When checking ACME automation, review

These seven checks help confirm renewal automation is working.

Public certificate expiry

Check what visitors actually receive.

Renewal schedule

Confirm the ACME client runs automatically.

Validation method

Identify whether renewal uses HTTP-01, DNS-01 or TLS-ALPN-01.

CAA records

Confirm the certificate authority is allowed.

Deployment step

Confirm the renewed certificate is installed on the active service.

Service reload

Confirm Nginx, Apache, LiteSpeed, CDN, proxy or load balancer reloads correctly.

Dry run

Run a safe renewal test where supported.

Check certificate automation result

Use SSL Checker to verify the active certificate, issuer, hostname coverage and expiry after renewal.

Run SSL Check →

Common problems

Renewal job not running

High

The ACME client is installed, but cron, systemd timer, task scheduler or hosting AutoSSL is not running.

Next step: Enable and test the renewal scheduler.

HTTP-01 challenge blocked

High

The CA cannot reach the challenge file under /.well-known/acme-challenge/.

Next step: Check port 80, redirects, firewall, webroot and CDN rules.

DNS-01 API token expired

High

The ACME client cannot create DNS TXT records for validation.

Next step: Update DNS API credentials and run a dry test.

CAA blocks issuance

High

CAA records do not allow the certificate authority used by the ACME client.

Next step: Update CAA records to allow the active CA.

Certificate renewed but not deployed

High

The new certificate exists locally, but the public server still serves the old certificate.

Next step: Fix deploy hook and reload the active service.

Wrong server renews the certificate

Medium

Renewal happens on an old server, while DNS now points elsewhere.

Next step: Move ACME automation to the active server or CDN.

CDN edge certificate not updated

Medium

Origin renewal works, but visitors see a CDN edge certificate.

Next step: Check CDN certificate automation separately.

Wildcard renewal fails

Medium

Wildcard certificates require DNS-01 validation and DNS automation may be broken.

Next step: Check DNS provider API, zone selection and propagation timing.

Rate limits after repeated failures

Medium

Repeated failed attempts may trigger CA rate limits.

Next step: Fix validation first, then retry carefully.

Reliable renewal setup

  1. Step 1: Identify the active HTTPS endpoint

    Confirm whether certificates are served by hosting, server, CDN, proxy or load balancer.

  2. Step 2: Choose the right validation method

    Use HTTP-01 for normal public sites and DNS-01 for wildcard or advanced setups.

  3. Step 3: Configure the ACME client

    Use Certbot, acme.sh, lego, win-acme, Caddy, Traefik or hosting automation depending on your stack.

  4. Step 4: Set deployment hooks

    Make sure renewed certificates are copied or installed where the active service uses them.

  5. Step 5: Reload services automatically

    Reload Nginx, Apache, LiteSpeed, mail service, proxy or load balancer after renewal.

  6. Step 6: Test renewal safely

    Use dry-run or staging mode where supported.

  7. Step 7: Monitor expiry

    Add external SSL expiry monitoring so failures are caught before users see warnings.

  8. Step 8: Document the setup

    Record validation method, file paths, credentials, deploy hooks and renewal schedule.

Monitor the following to catch renewal failures before expiry.

  • Certificate expiry date
  • Issuer
  • Hostname coverage
  • Renewal job status
  • ACME client logs
  • Validation errors
  • Deploy hook errors
  • Web server reload errors
  • CDN edge certificate expiry
  • Origin certificate expiry
  • CAA changes
  • DNS changes

External monitoring is important because it checks what visitors actually see, not only what the server thinks is installed.

CDN and proxy

If a CDN or reverse proxy is used, ACME automation may happen at the origin, at the CDN edge, or both.

  • Whether visitors see CDN edge certificate
  • Whether origin certificate is renewed separately
  • Whether HTTP-01 challenges pass through the CDN
  • Whether DNS-01 is better for wildcard or CDN setups
  • Whether CDN provides its own certificate automation
  • Whether redirect or security rules block validation

Do not assume renewing the origin certificate updates the CDN edge certificate.

ACME examples

Certbot dry run
sudo certbot renew --dry-run
Check Certbot timer
systemctl list-timers | grep certbot
Check certificate dates
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
Check HTTP-01 path
curl -I http://example.com/.well-known/acme-challenge/test
Check CAA
dig example.com CAA
Example deploy hook idea
renew certificate  install files  reload web server  run external SSL check

These examples are illustrative. Replace example.com with your real hostname and use commands that match your operating system, ACME client and server stack.

Frequently asked questions

What is ACME?

ACME is a protocol that automates SSL/TLS certificate issuance and renewal.

Is ACME only for Let’s Encrypt?

No. Let’s Encrypt is the most common ACME CA, but other certificate authorities and tools can also support ACME.

Which ACME validation method should I use?

HTTP-01 is common for normal public websites. DNS-01 is usually required for wildcard certificates and useful for advanced setups.

Why did ACME renewal fail?

Common causes include blocked validation, DNS changes, CAA restrictions, expired DNS API credentials, stopped renewal jobs or failed deploy hooks.

Why was the certificate renewed but the site still shows the old one?

The new certificate may not have been deployed to the active server, CDN, proxy or load balancer.

Do I need to reload the web server after ACME renewal?

Often yes. The service must load the renewed certificate files.

Should I monitor certificate expiry even with ACME?

Yes. Automation can fail, and external monitoring catches problems before users see warnings.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.