Sectigo ACME SSL — Certificates That Renew Themselves
Sectigo ACME SSL certificates automate the entire certificate lifecycle using the industry-standard ACME protocol (RFC 8555). Backed by Sectigo, the world's largest commercial Certificate Authority, with a $500,000 warranty — from €20/year per domain.
No payment for 14 days • No obligations • Setup in 5 min
Manual SSL Management Is Now a Liability
SSL certificate lifetimes are shrinking. Fast. The CA/Browser Forum has approved mandatory shorter validity periods.
Get Started in Under 5 Minutes
No CSR generation. No validation forms. No waiting.
Enter Your Domains
Enter your domains in the form above, pick a subscription term, and click order. That's it.
Get EAB Credentials
Sign in with Google or email. Get your EAB Key ID and HMAC Key instantly. No manual approval.
Install & Forget
Copy-paste one command for certbot, acme.sh, or any ACME client. Auto-renewal handles the rest.
How Much Does Sectigo ACME SSL Cost?
All prices are per domain, exclude VAT. 3-year subscriptions save 10%.
Configure Your ACME SSL Order
Add your domains, pick a subscription term, and start your 14-day free trial.
LeaderSSL ACME vs Alternatives
See how Sectigo ACME compares to free alternatives and manual certificate management.
| Feature | LeaderSSL ACME | Let's Encrypt | ZeroSSL ACME | Manual SSL |
|---|---|---|---|---|
| Price | From €20/yr | Free | Free (limited) / $10+/mo | €50–200+/yr |
| Certificate types | DV, Wildcard | DV only | DV, Wildcard | DV, OV, EV |
| Warranty | $500,000 | None ($0) | None ($0) | Varies |
| Support | Mon–Fri 9–17 CET, Email & Chat | Community forums | Email (paid plans) | Varies |
| Rate limits | None | 50/domain/week | 3 certs (free tier) | N/A |
| Auto-renewal | ✓ ACME | ✓ ACME | ✓ ACME | ✗ Manual |
| Site seal | ✓ Sectigo branded | ✗ None | ✗ None | Varies |
| Free trial | 14 days, no payment | N/A | N/A | Varies |
| Multi-year discount | 10% off 3yr | N/A | Monthly billing only | Varies |
| CA reputation | Sectigo — world's largest commercial CA | ISRG (nonprofit) | Apilayer / HID Global | Varies |
One Command. Done.
Copy-paste a single command. Your ACME client handles issuance, installation, and automatic renewals.
Sectigo ACME server URL: https://acme.sectigo.com/v2/DV — compatible with any ACME v2 client including certbot, acme.sh, win-acme, and cert-manager.
sudo certbot certonly \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KEY_ID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
-d yourdomain.com \
-d www.yourdomain.com
# Register account
acme.sh --register-account \
--server https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KEY_ID \
--eab-hmac-key YOUR_EAB_HMAC_KEY
# Issue certificate
acme.sh --issue \
--server https://acme.sectigo.com/v2/DV \
-d yourdomain.com \
-d www.yourdomain.com
wacs.exe --source manual \
--host yourdomain.com,www.yourdomain.com \
--baseuri https://acme.sectigo.com/v2/DV \
--eab-kid YOUR_EAB_KEY_ID \
--eab-key YOUR_EAB_HMAC_KEY \
--installation iis
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: sectigo-acme
spec:
acme:
server: https://acme.sectigo.com/v2/DV
email: you@yourdomain.com
externalAccountBinding:
keyID: YOUR_EAB_KEY_ID
keySecretRef:
name: sectigo-eab-hmac
key: secret
solvers:
- http01:
ingress:
class: nginx
Why Choose LeaderSSL for ACME SSL Automation
Over 13 years securing websites. Here's what sets us apart.
Official strategic partner of Sectigo, the world's largest commercial Certificate Authority.
Operating since 2012. Deep expertise in SSL certificate management and automation.
LeaderTelecom B.V., Amsterdam, Netherlands. GDPR-compliant by default.
Recognized as one of the fastest-growing companies in the Netherlands. Among only 78 companies to receive the award in 2024.
Every Sectigo ACME certificate includes a $500,000 warranty. Let's Encrypt offers $0.
Mon–Fri 9:00–17:00 CET, email & live chat. Real people helping you, not just community forums.
What Clients Say About Working With LeaderSSL
After wasting two weeks with a completely incompetent CA, I canceled the order and luckily stumbled across LeaderSSL. LeaderSSL provided support virtually in real-time, guided me through the whole process within only one day. Really outstanding service!
Ordering certificates is easy and fast and the support is unique, at most competitive prices I've seen. I am looking forward for ordering more certificates for our business and our customers.
Frequently Asked Questions
Last updated: April 2026
How is this different from Let's Encrypt?
What happens after 14 days?
What is ACME and EAB?
Which ACME clients are supported?
Do I need technical knowledge?
Can I add more domains later?
What's included for free with www variants?
example.com, we include www.example.com at no extra cost (and vice versa). Both are covered under a single domain subscription.
What browsers and devices are supported?
What Is ACME and Why It Matters in 2026
ACME (Automated Certificate Management Environment) is an open internet standard defined in RFC 8555. It automates the entire SSL/TLS certificate lifecycle: domain validation, certificate issuance, installation, and renewal — without human intervention.
ACME is a protocol, not a Certificate Authority. Multiple CAs support ACME, including Sectigo (the world’s largest commercial CA), Let’s Encrypt (nonprofit), ZeroSSL, Google Trust Services, and Buypass. Each CA provides its own ACME server endpoint; for Sectigo, the ACME server URL is https://acme.sectigo.com/v2/DV.
The protocol works through a challenge-response mechanism. When you request a certificate, the CA issues a challenge to prove you control the domain. The ACME client on your server automatically solves this challenge, the CA verifies the solution, and the certificate is issued — typically in seconds.
Why Automation Is No Longer Optional
The CA/Browser Forum has voted to reduce maximum SSL certificate validity from 398 days to 47 days by March 2029. The transition is already underway:
- March 2026: Maximum validity reduced to 200 days (effective now)
- March 2027: Further reduction to 100 days (~4 renewals per year)
- March 2029: Final target of 47 days (~8 renewals per year)
For an organization managing 100 certificates, 47-day validity means approximately 800 renewal operations per year. Manual renewal at this scale is unsustainable. ACME automation eliminates this burden entirely — certificates are renewed automatically before expiry, with zero downtime and zero human intervention.
External Account Binding (EAB)
Unlike Let’s Encrypt which allows anonymous registrations, commercial CAs like Sectigo use External Account Binding (EAB) to link your ACME client to your paid subscription. After ordering, you receive a Key ID and HMAC Key instantly. These credentials bind your ACME client to your Sectigo account, enabling automatic issuance of warranty-backed certificates under your subscription.
Who Needs ACME SSL Automation
ACME automation benefits any organization that manages SSL certificates at scale or values zero-downtime certificate lifecycle management.
DevOps and SRE Teams
Infrastructure teams managing dozens or hundreds of services across multiple environments (staging, production, disaster recovery) benefit most from ACME. Certificates are provisioned as part of the deployment pipeline using tools like cert-manager for Kubernetes, Traefik for container orchestration, or Certbot for traditional servers. No more spreadsheets tracking expiry dates.
SaaS and Multi-Tenant Platforms
Platforms that provide custom domains for customers (e-commerce shops, website builders, content platforms) need to provision SSL certificates dynamically. ACME enables automatic certificate issuance when a customer connects their domain, with automatic renewal thereafter.
E-Commerce and Financial Services
Businesses handling payment data require PCI DSS compliance, which mandates HTTPS encryption. A $500,000 warranty-backed Sectigo certificate provides both the encryption and the financial assurance that a free certificate does not. ACME ensures these certificates never expire unexpectedly.
Web Hosting and Managed Service Providers
Hosting companies managing thousands of client websites need automated certificate provisioning. Sectigo ACME’s unlimited rate limits (unlike Let’s Encrypt’s 50 certificates per domain per week) make it suitable for large-scale hosting operations.
IoT and Edge Computing
Connected devices and edge nodes require certificate-based authentication. ACME enables automated certificate rotation across device fleets without manual firmware updates or site visits.
ACME Domain Validation Methods Explained
The ACME protocol supports three domain validation challenge types. The choice depends on your infrastructure and whether you need wildcard certificates.
HTTP-01 Challenge
The most common method. The ACME client places a specific file at http://yourdomain.com/.well-known/acme-challenge/<token>, and the CA verifies it via HTTP request. Best for: single domains on servers with port 80 accessible. Limitation: cannot issue wildcard certificates.
DNS-01 Challenge
The ACME client creates a specific _acme-challenge.yourdomain.com TXT record in your DNS. The CA verifies the record exists. Best for: wildcard certificates (*.example.com), servers behind firewalls, and environments where port 80 is not available. Requires: DNS API access (Cloudflare, Route53, DigitalOcean DNS, etc.) for full automation.
TLS-ALPN-01 Challenge
Validation occurs over TLS on port 443 using the ALPN extension. Best for: environments where only port 443 is accessible (no port 80, no DNS API). Limitation: less widely supported by ACME clients.
Which Method Should You Choose?
- Need wildcard (*.example.com)? → DNS-01 is required
- Standard web server with port 80? → HTTP-01 is simplest
- Only port 443 available? → TLS-ALPN-01
- Behind a load balancer or CDN? → DNS-01 (avoids routing issues)
All three methods are fully supported by Sectigo ACME. The validation and issuance process completes in seconds regardless of the method chosen.
Automatic Certificate Renewal Setup
ACME clients handle renewal automatically, but they need to be triggered on a schedule. Here are the recommended approaches for ensuring your Sectigo ACME certificates renew before expiry.
Certbot (cron job)
Certbot installs a cron job or systemd timer automatically on most Linux distributions. Verify it exists:
# Check if certbot timer is active (systemd)
sudo systemctl status certbot.timer
# Or check cron
cat /etc/cron.d/certbotIf no timer exists, add one manually:
# Run renewal check twice daily (recommended by certbot)
0 0,12 * * * root certbot renew --quietacme.sh (built-in cron)
acme.sh automatically installs a daily cron job during setup. Verify:
crontab -l | grep acme.sh
# Expected output:
# 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh"Kubernetes cert-manager
cert-manager monitors certificate expiry and triggers renewal automatically — no cron job needed. It renews certificates when they are within 30 days of expiry (configurable via renewBefore in the Certificate resource).
Common ACME Issues and How to Fix Them
EAB credentials rejected: "Invalid external account binding"
This means the Key ID or HMAC Key is incorrect. Double-check that you copied both values exactly from your LeaderSSL dashboard — extra spaces or line breaks will cause rejection. HMAC keys are Base64-encoded; ensure your ACME client supports this encoding (certbot and acme.sh do by default).
HTTP-01 challenge fails: "Fetching URL timed out"
The CA cannot reach your server on port 80. Common causes: firewall blocking inbound port 80, server behind a CDN or load balancer that intercepts .well-known/acme-challenge requests, or NGINX/Apache not serving the challenge directory. Verify with: curl http://yourdomain.com/.well-known/acme-challenge/test from an external machine.
DNS-01 challenge fails: "DNS record not found"
DNS propagation can take 1–5 minutes. If using Cloudflare or Route53 API, the update is near-instant, but other providers may be slower. Verify the TXT record exists: dig TXT _acme-challenge.yourdomain.com. Also check that your DNS provider API credentials are correct in your ACME client configuration.
Certificate issued but browser shows "Not Secure"
The certificate was issued but not installed correctly. Ensure your web server is configured to use the new certificate and full chain. For NGINX: check ssl_certificate and ssl_certificate_key paths, then reload: sudo nginx -s reload. For Apache: check SSLCertificateFile and restart.
Renewal fails silently
Check your ACME client logs. For certbot: sudo certbot renew --dry-run tests the renewal process without making changes. For acme.sh: acme.sh --renew -d yourdomain.com --force --debug. Common cause: the original validation method is no longer available (e.g., DNS API token expired, port 80 now blocked).
Sectigo ACME vs. Let’s Encrypt — When to Choose Which
Let’s Encrypt revolutionized the SSL industry by making DV certificates free and automated via the ACME protocol. It remains an excellent choice for personal projects, hobby sites, and development environments where cost is the primary concern.
However, for business-critical infrastructure, Sectigo ACME offers advantages that matter:
Warranty and Liability Protection
Sectigo ACME DV certificates include a $500,000 warranty that covers relying-party losses caused by certificate mis-issuance. Let’s Encrypt provides no warranty whatsoever. For businesses processing payments, handling customer data, or bound by contractual SLA requirements, this warranty provides essential financial protection.
No Rate Limits
Let’s Encrypt enforces strict rate limits: 50 certificates per registered domain per week, 5 duplicate certificates per week, and 300 new orders per account per 3 hours. These limits can block deployments during infrastructure migrations or large-scale provisioning events. Sectigo ACME has no rate limits — issue as many certificates as your subscription covers, whenever you need them.
Commercial Support
Let’s Encrypt support consists of community forums staffed by volunteers. Sectigo ACME includes business-hours support (Monday–Friday, 9:00–17:00 CET) via email and chat, with direct access to SSL specialists who can resolve issuance issues, configuration problems, and validation questions.
Organizational Validation (OV)
Let’s Encrypt only issues Domain Validated (DV) certificates. Sectigo also offers Organization Validated (OV) certificates via their ACME platform, with a $1,000,000 warranty and your company name in the certificate details. OV ACME subscriptions are available separately — contact us for details.
Branded Site Seal
Sectigo ACME certificates include a Sectigo-branded site seal — a visual trust indicator you can display on your website. Let’s Encrypt does not provide site seals. While site seals don’t affect encryption, they increase visitor trust, particularly for e-commerce and B2B sites.
When Let’s Encrypt Is the Right Choice
Let’s Encrypt is ideal for: personal blogs, open-source projects, development and staging environments, small sites with no commercial liability, and situations where budget is zero. It provides the same strong encryption as any other CA.
When Sectigo ACME Is the Better Choice
Choose Sectigo ACME for: production business websites, e-commerce and payment processing, enterprise and government environments, high-volume certificate provisioning (hosting, SaaS), compliance-driven industries (finance, healthcare), and any environment where downtime due to certificate issues would cause financial or reputational damage.
200-Day Validity Is Already Here
Don't wait for the next deadline. Automate your SSL certificates today.
Try Free for 14 DaysNo payment for 14 days. No obligations. Setup in under 5 minutes.