ACME overview
The way in which MagicServer communicates with the CA is called the ACME protocol. At a high level, this involves the following steps:1
MagicServer orders a certificate from the CA for the domain.
2
The CA responds with a list of challenges MagicServer can complete to prove that it controls the domain.
3
MagicServer selects and completes one of the challenges, and indicates to the CA that the challenge is ready to be verified.
4
The CA validates the challenge, and if successful, allows downloading a new certificate for the requested domain.
Challenges
The ACME server run by the CA asks MagicServer to prove that it controls the domain by completing one of a few types of challenges.HTTP-01
MagicServer always attempts the this challenge. This challenge is completed by responding to an HTTP request at/.well-known/acme-challenge/* with a specific value.
To do this, MagicServer temporarily serves an HTTP server on port 80.
TLS-ALPN-01
Advanced challenge that may be used when HTTP-01 is not viable. Not used by MagicServer.DNS-01
This challenge is completed by creating a TXT record with a specific value under the requested domain name. Not used by MagicServer.Renewals
Certificates are renewed automatically before expiration. To determine the ideal time to renew, MagicServer checks the duration of certificate validity, and waits until it’s age is at least 2/3 of the validity duration. For example, if the CA provided a 90 day certificate, MagicServer will ask for a new one 60 days after its issuance.Interested in what I do? I am looking for full-time oppurtunities!Hi, I am Arsh.
I am a serial builder addicted to difficult and impactful challenges.
You can review my work on my website and on my GitHub profile.
Let’s schedule an introduction.