Let's Encrypt primer

What it is

Let's Encrypt is a free, automated certificate authority backed by the Internet Security Research Group. It issues domain-validated X.509 certificates via the ACME protocol, trusted by all major root stores.

ACME flow in 60 seconds

1. Your client registers an account with the CA.
2. It requests a certificate for one or more domain names.
3. The CA issues an HTTP-01 or DNS-01 challenge to prove control.
4. Once validated, the CA signs and returns the certificate chain.
5. Your client stores the cert and schedules renewal before expiry.

Rate limits you must respect

• Certificates per registered domain: 50 per week.
• Duplicate certificate: 5 per week for the exact same set of hostnames.
• Failed validations: 5 failures per account, per hostname, per hour.

Renewal strategy

Certificates live for 90 days. Renew at the 60-day mark with exponential backoff on failure. Always prefer DNS-01 when wildcards or internal-only hosts are involved. Store account keys offline; compromise means an attacker can revoke every cert tied to that account.

Recommended clients

Certbot remains the reference implementation. For programmatic deployments, consider lego (Go) or acme.sh (shell). Meridian tooling wraps lego for headless renewal inside your infrastructure pipeline.