Skip to main content
MagicServer uses Let’s Encrypt. Let’s Encrypt is a free service that provides TLS certificates, which are also called certificate authorities (CAs). These certificates are given if an application is able to prove that it controls the domain for which the certificate is requested. As an ACME client, MagicServer can request certificates from any CA that offers an ACME server, not just the ones provided by Let’s Encrypt. MagicServer still uses Let’s Encrypt by default as their service doesn’t require signing up for an account, and it is operated for public benefit by ISRG, a non-profit organization.

ACME overview

The way in which MagicServer communicates with the CA is called the ACME protocol. At a high level, this involves the following steps:
1
MagicServer orders a certificate from the CA for the domain.
2
The CA responds with a list of challenges MagicServer can complete to prove that it controls the domain.
3
MagicServer selects and completes one of the challenges, and indicates to the CA that the challenge is ready to be verified.
4
The CA validates the challenge, and if successful, allows downloading a new certificate for the requested domain.

Challenges

The ACME server run by the CA asks MagicServer to prove that it controls the domain by completing one of a few types of challenges.

HTTP-01

MagicServer always attempts the this challenge. This challenge is completed by responding to an HTTP request at /.well-known/acme-challenge/* with a specific value. To do this, MagicServer temporarily serves an HTTP server on port 80.

TLS-ALPN-01

Advanced challenge that may be used when HTTP-01 is not viable. Not used by MagicServer.

DNS-01

This challenge is completed by creating a TXT record with a specific value under the requested domain name. Not used by MagicServer.

Renewals

Certificates are renewed automatically before expiration. To determine the ideal time to renew, MagicServer checks the duration of certificate validity, and waits until it’s age is at least 2/3 of the validity duration. For example, if the CA provided a 90 day certificate, MagicServer will ask for a new one 60 days after its issuance.
Interested in what I do? I am looking for full-time oppurtunities!Hi, I am Arsh. I am a serial builder addicted to difficult and impactful challenges. You can review my work on my website and on my GitHub profile. Let’s schedule an introduction.