Automatic Certificate Management Environment (ACME), is a protocol for automated deployment of HTTPS certificates. It is perhaps the most often used method for obtaining SSL certificates nowadays. In order to issue certificate for a domain or domains, the protocol verifies that the web server that is requesting a certificate actually owns these domains. This process is based on various challenge types.
Pound supports
HTTP-014
challenge type. When issuing a certificate using this challenge type,
the ACME client (a program responsible for periodic certificate
re-issuing) obtains from the authority a challenge file, and
stores it in a predefined challenge directory. The authority
will then request this file from the webserver using a predefined
URL. It is supposed that the server will serve it from the file that
has been just written by the agent. If the server returns the file,
its claim to own the domain is proved and the certificate is issued.
Configuring pound to reply to challenge requests is as
simple as putting an ACME statement to the ListenHTTP
section of its configuration file. The statement takes a single
argument – name of the challenge directory:
ListenHTTP
Address 0.0.0.0
Port 80
ACME "/var/lib/pound/.well-known/acme-challenge"
End
Needless to say, your ACME agent and pound must agree on
this directory location. Configuration of various ACME agents is
beyond the scope of this document. Please refer to the documentation
of your agent for further details.