When certificates lasted two or three years, renewing by hand was annoying but survivable. You put a reminder on a calendar, generated a CSR, pasted it into a portal, and moved on. That model is finished. With maximum lifetimes dropping toward 47 days, a human renewing certificates one at a time is no longer a workflow, it is a backlog. Automation is the only thing that scales, and ACME is the protocol that makes it work.
What ACME Is
ACME, the Automatic Certificate Management Environment, is defined in RFC 8555. It is the protocol Let's Encrypt popularized and that most public CAs now support. The idea is simple: instead of a person proving domain control through a web form, a client on your server proves it automatically and the CA issues a certificate over an API.
The proof is called a challenge, and there are three common types. With http-01, the CA asks your client to place a specific token at a well-known URL on port 80. With dns-01, the client publishes a TXT record the CA then queries. With tls-alpn-01, the proof happens during a TLS handshake on port 443. Each suits a different setup: http-01 for a standard web server, dns-01 for wildcards and hosts not reachable on port 80, tls-alpn-01 for environments where only 443 is open.
Once the challenge passes, the client receives the certificate, installs it, and reloads the service. The whole exchange takes seconds, and because nothing about it requires a human, it can run on a timer.
Picking a Client
You do not write ACME yourself. You pick a client and let it handle the protocol. The common ones each fit a context.
- Certbot is the reference client, good for single servers and well documented.
- acme.sh is a shell implementation with no dependencies, handy on minimal systems.
- lego is a single Go binary, easy to drop into a pipeline.
- Caddy speaks ACME natively and renews with no extra tooling.
- cert-manager handles issuance and renewal inside Kubernetes.
The protocol is the same underneath. The client just decides how issuance plugs into your deployment.
Why Short Lifetimes Force Automation
A 47-day certificate renews roughly every month if you rotate at the two-thirds mark, which is the usual practice. Run a hundred services and that is a hundred renewals a month, every month, forever. No team does that by hand without dropping one. The reason the industry moved to short lifetimes anyway is that automation makes lifetime almost irrelevant: if renewal is a background job, a 47-day cert is no more work than a two-year one, and the shorter window limits the damage from a key compromise.
So the shrinking lifetime is not really the problem. The problem is any certificate still being renewed manually when the deadline arrives.
Where Automation Breaks
Automating renewal does not mean you can stop watching it. ACME pipelines fail in specific, repeatable ways, and they fail silently because the old certificate keeps serving until it expires.
The most common break is the reload step. The client renews the certificate on disk, but the service is never told to pick it up, so the running process keeps presenting the old one until it expires. Always verify the served endpoint, not the file.
The second is dns-01 propagation. If your client publishes a TXT record faster than your DNS provider serves it, the challenge can fail intermittently. A propagation delay or a slow secondary can turn a reliable renewal into a flaky one.
The third is credentials. A dns-01 setup needs an API key for your DNS provider, and an http-01 setup needs port 80 reachable. Rotate the key or firewall the port and renewal stops, usually without anyone noticing for weeks.
The fourth is rate limits. Public CAs cap issuance per domain per week. A misconfigured loop that re-requests on every deploy can burn through the limit and lock you out right when you need a certificate.
Monitoring the Pipeline You Just Built
Automation moves the risk rather than removing it. You no longer forget to renew, but you can now fail to notice that automation stopped. The defense is the same as for any certificate: monitor the live endpoint and alert on the expiry date you actually serve. If a renewal job dies, SSL certificate monitoring catches the countdown regardless of which step failed.
Generator Labs certificate monitoring watches your endpoints from the outside, so a stalled ACME client shows up as an expiry warning days before it becomes an outage. To spot-check a single host after a renewal, the SSL certificate checker confirms the served certificate and chain in one request. Automate issuance, then watch the result, and short lifetimes stop being a burden. Get started.