# How Automatic SSL Certificates Work
A decade ago, getting HTTPS on a site meant paying a certificate authority, generating a CSR by hand, emailing documents, and manually installing a .crt file that expired in a year. Today you point a domain at a platform and HTTPS just appears, renewing itself forever. This guide explains the machinery behind that magic: the ACME protocol, domain validation, and automatic renewal.
The problem TLS solves
TLS (the successor to SSL — though everyone still says "SSL") does two things: it encrypts traffic so nobody can read it in transit, and it authenticates the server so you know you are talking to the real site, not an impostor. The authentication piece relies on a certificate signed by a Certificate Authority (CA) that browsers trust.
A certificate binds a domain name to a public key. Your browser trusts it because it chains up to a root CA in the browser's trust store.
Enter Let's Encrypt and ACME
The turning point was Let's Encrypt (2015), a free, automated, nonprofit CA. It introduced ACME (Automatic Certificate Management Environment), now standardized as RFC 8555 — a protocol for machines to request and renew certificates with zero human involvement.
The ACME flow, simplified:
- 1Your server (the ACME client) generates a key pair and registers an account with the CA.
- 2It requests a certificate for
example.com. - 3The CA issues a challenge to prove you control the domain.
- 4Your client satisfies the challenge.
- 5The CA validates it and issues the signed certificate.
- 6The client installs it and schedules renewal.
Domain validation challenges
The CA needs proof you actually control the domain. Two common challenge types:
HTTP-01
The CA gives your client a token. You must serve it at a well-known path:
http://example.com/.well-known/acme-challenge/<token>The CA fetches that URL. If it sees the right value, you have proven control. Simple, but it only works for a single hostname and requires port 80 to be reachable.
DNS-01
The CA gives you a value to publish as a TXT record:
_acme-challenge.example.com. TXT "gfj9Xq...Rg85nM"The CA queries DNS for that record. DNS-01 is more flexible — it supports wildcard certificates (*.example.com) and does not need an open port — but requires API access to your DNS provider.
A concrete example
If you ever manage certs yourself, the canonical client is Certbot:
# HTTP-01 challenge, nginx plugin handles install + renewal
sudo certbot --nginx -d example.com -d www.example.com
# Renewal is just:
sudo certbot renewMost setups install a systemd timer or cron job so certbot renew runs twice daily, renewing anything within 30 days of expiry. The command is a no-op until renewal is actually due.
Why short lifetimes and auto-renewal matter
Let's Encrypt certificates are valid for 90 days, and the ecosystem is moving toward even shorter lifetimes. Short lifetimes limit the damage if a key is compromised, but they make manual renewal impractical — which is the entire point. Short-lived certificates *force* automation, and automation means renewals never get forgotten. The classic outage "the SSL cert expired and nobody noticed" simply stops happening.
What platforms automate for you
When a managed platform offers "automatic SSL," here is what it is doing on your behalf:
- Running an ACME client against a CA (often Let's Encrypt or ZeroSSL).
- Completing HTTP-01 or DNS-01 challenges automatically when you add a custom domain.
- Provisioning the certificate, usually within seconds to minutes.
- Renewing well before expiry, with no action from you.
- Often handling HTTP→HTTPS redirects and modern TLS configuration (TLS 1.3, sane ciphers).
You should also see security niceties handled for you: HSTS headers, OCSP stapling, and certificate transparency logging.
Common gotchas
- DNS not pointed yet. HTTP-01 fails if the domain does not resolve to the platform. Add the DNS record first.
- CAA records can block issuance. A restrictive
CAArecord that only allows one CA will reject others. - Rate limits. Let's Encrypt limits certificates per domain per week — relevant if you script issuance in a loop.
- Mixed content. Even with a valid cert, pages loading
http://assets will warn. Use protocol-relative or HTTPS URLs.
SSL on PandaStack
PandaStack provisions and renews TLS certificates automatically for every app and custom domain. You add a domain, point DNS, and HTTPS is live — issuance and renewal run behind the Cloudflare/Kong edge with no certbot timers for you to babysit. The expired-certificate outage is one fewer thing on your on-call runbook.
References
- [RFC 8555: Automatic Certificate Management Environment (ACME)](https://datatracker.ietf.org/doc/html/rfc8555)
- [Let's Encrypt: How it works](https://letsencrypt.org/how-it-works/)
- [Certbot documentation](https://eff-certbot.readthedocs.io/)
- [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
---
Automatic SSL turned certificate management from a recurring chore into something you never think about. PandaStack handles issuance and renewal for every domain out of the box — deploy your first app free at [dashboard.pandastack.io](https://dashboard.pandastack.io).