Sure. So ACME relies again on the integrity of DNS and the spec presents three different challenges that you can solve to get a certificate to prove your ownership of domain name. So for example, Caddy will solve two of these challenges for you by default, just out of the box, it will just work. The third one is for special cases some people prefer. So the first two are the HTTP challenge and the TLS SNI challenge.
The HTTP challenge is basically where you serve up a resource at an HTTP endpoint on your server. The ACME CA will do an authoritative DNS lookup, make a request to your server for that special resource, and if it can find it there then it proves you own the machine or that you own the domain name, and so you can get the certificate.
Caddy does this one. It does the TLS SNI challenge as well, which is the same idea as the HTTP challenge, except that it performs a special TLS handshake. And if your server, which is the client, in this case, can complete that special handshake with the special server name in the SNI extension, then the ACME CA will validate for you and give you the certificate.
So Caddy can do both of those for you by default, automatically. There are Go libraries that can do at least the HTTP challenge. That seems to the standard one. The problem though with these two is that it requires opening a port. The HTTP challenge requires Port 80 and the TLS SNI challenge requires port 443. Those are the hardcoded into the spec, you can’t change it. If you wanna use a different port, you have to forward it. If you use TLS termination, you can’t do the TLS SNI challenge obviously, or if you’re behind a load balancer or other complicated infrastructure, the outside ACME server may not be able to reach your machine inside.
Then there is the third challenge, which is the DNS challenge. And this one, you have to set a record in your zone file on your domain name for a special name on your host, that validates that you own the DNS, that you have access to that. And the ACME server will perform an authoritative lookup for that special record. – it’s a text record – and if has the right value then it will issue a certificate. The nice thing here is that the ACME server doesn’t need to communicate directly with your server, so you don’t need to open any ports or anything.
The downside is that you either have to do this manually or you have to give your ACME client credentials to your DNS provider, and they have to have to have an API to allow you to set records. Now unfortunately, lots of DNS providers have an API of some sort. Caddy, for example, ships with support for 10 DNS providers, especially the most common ones – CloudFlare, Namecheap, Digital Ocean etc. And you can specify these credentials in your environment variables, so Caddy can perform the DNS challenge as well as of 0.9.
Those are the three challenge types, and if you’re having a hard time with Let’s Encrypt or with the ACME protocol in general, I’m willing to bet it’s probably because your tooling has not quite arrived yet or it’s not mature yet, or you’re asking a lot from the Let’s Encrypt servers, and that’s when people run into raid limits. But honestly, this covers 95% to 99% of the use cases.