Let's Encrypt (ACME)

Free, automated certificate authority that issues TLS/SSL certificates via the ACME protocol, enabling agents and automation to programmatically obtain, renew, and revoke certificates without manual intervention.

Evaluated Mar 06, 2026 (0d ago) vcurrent

Homepage ↗ Repo ↗ Security letsencrypt tls ssl certificates acme free https

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

100

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

ACME protocol with domain validation (HTTP-01, DNS-01, TLS-ALPN-01). No passwords — domain control proves identity. Rate limits prevent abuse. Non-profit CA with strong security practices. Private key management is the agent's responsibility.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need free, automated TLS certificate management for public-facing domains and want to eliminate manual certificate procurement and renewal entirely.

Avoid When

You need EV certificates, code signing, internal PKI, or certificates valid longer than 90 days.

Use Cases

• Automatically issuing TLS certificates for new domain/service deployments
• Programmatic certificate renewal before expiry in infrastructure automation
• Wildcard certificate issuance via DNS-01 challenge for entire domain coverage
• Certificate revocation when services are decommissioned
• Building certificate lifecycle management into agent-driven infrastructure pipelines

Not For

• EV (Extended Validation) certificates requiring organizational identity display
• Code signing certificates (Let's Encrypt only issues domain validation certificates)
• Certificates with validity longer than 90 days (LE limit; use DigiCert for longer certs)
• Internal PKI or private network certificates (no internal hostnames or IPs)

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

OpenAPI Spec ↗

Authentication

Methods: jwk

OAuth: No Scopes: No

ACME protocol uses JSON Web Key (JWK) account keys for authentication. No traditional API keys — clients generate and manage their own key pairs. Account registration is the first step.

Pricing

Model: free

Free tier: Yes

Requires CC: No

Let's Encrypt is free for all users. Rate limits are generous for most use cases but can be hit during mass provisioning.

Agent Metadata

Pagination

none

Idempotent

Partial

Retry Guidance

Documented

Known Gotchas

⚠ Certificates are only valid for 90 days — automation must handle renewal at least every 60 days
⚠ Rate limits are per registered domain (eTLD+1), not per subdomain — hitting limits blocks all subdomains
⚠ HTTP-01 challenges require the domain to be publicly reachable — won't work for internal services
⚠ DNS-01 challenges require DNS API access with write permissions — more complex but enables wildcard certs
⚠ Production and staging environments are separate — always test with staging first to avoid burning rate limits

Alternatives

{'id': 'vault-api', 'reason': 'HashiCorp Vault provides internal PKI for private certificates and secrets management beyond public TLS'} {'id': 'digicert-api', 'reason': 'For EV certificates, code signing, or certs valid longer than 90 days'} {'id': 'aws-acm-api', 'reason': 'AWS Certificate Manager provides free auto-renewing certs for AWS-hosted services without ACME complexity'}

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Let's Encrypt (ACME).

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.