I wrote an article about ACME clients and servers

Figured I would share this here as it may be of interest to many.

I'm hoping it will especially reach developers of web infrastructure software like servers and popular apps:

It gives a high-level intro to the ACME protocol, describes a 0-day found in the ACME ecosystem, and offers recommendations on choosing ACME clients and servers, based primarily on fundamental principles and experience.

Hopefully it will give you things to think about as you choose clients and servers, or even as you develop clients yourselves!

My main theses are basically, but coarsely, stated:

  • ACME is really good and important.
  • Choose a few (more than 1, less than ~5?) ACME CAs you trust and configure your client to use them (your client should support multiple for redundancy).
  • Choose as few (ideally one) ACME clients as you can, but choose wisely.
  • Web apps and infrastructure need to grow up and start enabling and automating TLS by default to fulfill the original vision. That means embedded ACME clients in all the things.

(My disclosure is mentioned on that page multiple times.)


I would really like to see memory safe implementations written in languages that are:

  1. Imperative programming - Wikipedia
  2. Structured programming - Wikipedia
  3. Procedural programming - Wikipedia

such as the easy to read, learn, and use:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.