Meerkat ACME Web Service

RFC 8555 test endpoint for issuing short-lived DV TLS certificates from the Meerkat issuing CA. Supports standard ACME clients, account creation with subscriber terms acceptance, new orders, http-01 and dns-01 validation, finalization, certificate download, revocation with CRL regeneration, and ARI renewal windows per RFC 9773.

RFC 8555 RFC 9773 ARI 90 days http-01 dns-01 No EAB CT embedded 30-day DCV reuse Revocation
Directory
https://thameur.org/acme/directory
Subscriber Terms
https://thameur.org/acme/eula
Issuer
Meerkat Test Issuing CA 1 / ECC Issuing CA 1
Certificate Repository
/htmldir/tls
Validity
90 days
External Account Binding
Not required
Renewal Info (ARI)
https://thameur.org/acme/renewal-info/{certID}

Client Configuration

server = https://thameur.org/acme/directory

Implemented

  • Directory, nonce, account, order, authorization, challenge, finalize, certificate, revoke, and renewalInfo resources.
  • HTTP-01 at /.well-known/acme-challenge/<token> and DNS-01 at _acme-challenge.
  • RSA and P-256 account keys, RSA and ECDSA subscriber CSRs, one matching CA tree per issued certificate.
  • CAA checks before validation and again before finalization, reserved-name rejection, rate limiting, and embedded SCTs from the local CT test log.
  • Precertificate linting with the pkimetal TLS BR DV precertificate profile before final issuance; linter errors block issuance while warnings do not.
  • Post-issuance linting with the pkimetal TLS BR DV certificate profile; error, fatal, or critical findings revoke the signed certificate and abort the ACME order.
  • Subscriber certificates omit commonName; every DNS identifier is carried in a critical subjectAltName extension.
  • Subscriber certificate keys accepted: RSA 2048 bits or larger, and ECDSA P-256, P-384, or P-521.
  • Revocation via revoke-cert with reason codes 0, 1, 3, 4, and 5; triggers immediate CRL regeneration.
  • ARI (RFC 9773) renewal windows computed from each certificate's actual validity period; revoked certificates return an immediate window.

Renewal Information (ARI)

This endpoint implements RFC 9773 ACME Renewal Information. Clients that support ARI query renewalInfo to learn when they should renew an existing certificate, without waiting for expiry or using a fixed schedule.

The certID path parameter is three dot-separated base64url values: the SHA-256 hash of the issuer's subject name, the SHA-256 hash of the issuer's public key, and the DER-encoded serial number. ARI-capable clients such as Certbot 2.9+ and lego 4.14+ compute and append this automatically.

For a valid 90-day certificate the suggested window covers roughly the final third of the validity period — approximately 30 days before expiry through 15 days before expiry. For a revoked certificate the window is returned as immediate (now through +24 h), prompting the client to renew without delay.

Renewal itself is standard ACME re-issuance: create a fresh order, reuse any still-valid completed DCV, complete missing authorizations, finalize with a new CSR, and download the new certificate.

Reuse Policy

  • Pending challenge tokens are reusable for 1 day for the same account, base domain, wildcard flag, and challenge method.
  • Completed DCV is reusable for 30 days, scoped to the ACME account and validated base domain.
  • Wildcard requests require wildcard-capable validation; a regular base-domain validation is not reused for wildcard issuance.
  • For parent plus wildcard, DNS-01 validation uses the same base-domain challenge name.

Terms Link

The ACME directory advertises the subscriber agreement through the meta.termsOfService URL. Clients such as Certbot, lego, and acme.sh surface or accept this through their normal terms acceptance flags.

https://thameur.org/acme/eula

Issue with ACME Clients

These examples assume the client is already installed, the account email is yours, HTTP-01 webroot paths are reachable on port 80, and DNS-01 provider credentials are configured in the client environment.

Certbot

Current Certbot defaults to ECDSA P-256 for new certificates. Use --key-type rsa with --rsa-key-size for RSA, or --key-type ecdsa with --elliptic-curve for ECDSA.

Single domain, HTTP-01 webroot
certbot certonly --server https://thameur.org/acme/directory \
  --agree-tos --email admin@example.com \
  --webroot -w /var/www/example.com \
  -d example.com
Multiple names in one certificate
certbot certonly --server https://thameur.org/acme/directory \
  --agree-tos --email admin@example.com \
  --webroot -w /var/www/example.com \
  -d example.com -d www.example.com -d app.example.com
Wildcard, DNS-01
certbot certonly --server https://thameur.org/acme/directory \
  --agree-tos --email admin@example.com \
  --manual --preferred-challenges dns \
  -d '*.example.com'
Force RSA 4096
certbot certonly --server https://thameur.org/acme/directory \
  --agree-tos --email admin@example.com \
  --key-type rsa --rsa-key-size 4096 \
  --webroot -w /var/www/example.com \
  -d example.com
Force ECDSA P-384
certbot certonly --server https://thameur.org/acme/directory \
  --agree-tos --email admin@example.com \
  --key-type ecdsa --elliptic-curve secp384r1 \
  --webroot -w /var/www/example.com \
  -d example.com

lego

lego defaults to ec256. Use --key-type with ec256, ec384, rsa2048, rsa3072, rsa4096, or rsa8192.

Single domain, HTTP-01 webroot
lego --server https://thameur.org/acme/directory \
  --email admin@example.com --accept-tos \
  --http --http.webroot /var/www/example.com \
  --domains example.com run
Multiple names in one certificate
lego --server https://thameur.org/acme/directory \
  --email admin@example.com --accept-tos \
  --http --http.webroot /var/www/example.com \
  --domains example.com --domains www.example.com run
Wildcard, DNS-01
lego --server https://thameur.org/acme/directory \
  --email admin@example.com --accept-tos \
  --dns cloudflare \
  --domains '*.example.com' run
Force RSA 4096
lego --server https://thameur.org/acme/directory \
  --email admin@example.com --accept-tos \
  --key-type rsa4096 \
  --http --http.webroot /var/www/example.com \
  --domains example.com run
Force ECDSA P-384
lego --server https://thameur.org/acme/directory \
  --email admin@example.com --accept-tos \
  --key-type ec384 \
  --http --http.webroot /var/www/example.com \
  --domains example.com run

acme.sh

acme.sh defaults to ec-256. Use --keylength for certificate key selection: ec-256, ec-384, ec-521, 2048, 3072, 4096, or 8192.

Single domain, HTTP-01 webroot
acme.sh --server https://thameur.org/acme/directory \
  --issue -d example.com \
  -w /var/www/example.com \
  --accountemail admin@example.com
Multiple names in one certificate
acme.sh --server https://thameur.org/acme/directory \
  --issue -d example.com -d www.example.com \
  -w /var/www/example.com \
  --accountemail admin@example.com
Wildcard, DNS-01
acme.sh --server https://thameur.org/acme/directory \
  --issue --dns dns_cf \
  -d '*.example.com' \
  --accountemail admin@example.com
Force RSA 4096
acme.sh --server https://thameur.org/acme/directory \
  --issue -d example.com \
  -w /var/www/example.com \
  --keylength 4096 \
  --accountemail admin@example.com
Force ECDSA P-384
acme.sh --server https://thameur.org/acme/directory \
  --issue -d example.com \
  -w /var/www/example.com \
  --keylength ec-384 --ecc \
  --accountemail admin@example.com

Revocation

Certificates can be revoked by the account that issued them using the ACME revoke-cert resource. The server marks the certificate in the CA database, regenerates the CRL immediately, and updates the order's revocation timestamp so the ARI endpoint returns an immediate renewal window.

Supported Reason Codes

CodeReasonWhen to use
0unspecifiedGeneral revocation with no specific reason.
1keyCompromiseThe certificate's private key was exposed or may have been stolen.
3affiliationChangedThe subject's organizational affiliation has changed.
4supersededThe certificate has been replaced by a newer one.
5cessationOfOperationThe entity named in the certificate no longer operates the domain.

Certbot

Point --cert-name at the certificate you want to revoke. The --reason flag is optional; omit it for code 0.

Revoke (unspecified)
certbot revoke \
  --server https://thameur.org/acme/directory \
  --cert-name example.com
Revoke — key compromise
certbot revoke \
  --server https://thameur.org/acme/directory \
  --cert-name example.com \
  --reason keyCompromise
Revoke — superseded
certbot revoke \
  --server https://thameur.org/acme/directory \
  --cert-name example.com \
  --reason superseded

lego

Pass the PEM file path with --cert. Use --reason for a specific reason code (integer).

Revoke (unspecified)
lego --server https://thameur.org/acme/directory \
  --email admin@example.com \
  revoke --cert .lego/certificates/example.com.crt
Revoke — key compromise
lego --server https://thameur.org/acme/directory \
  --email admin@example.com \
  revoke --reason 1 \
  --cert .lego/certificates/example.com.crt
Revoke — superseded
lego --server https://thameur.org/acme/directory \
  --email admin@example.com \
  revoke --reason 4 \
  --cert .lego/certificates/example.com.crt

acme.sh

acme.sh revokes by domain. Add --ecc for ECDSA certificates. The optional --reason integer maps directly to the ACME reason code.

Revoke (unspecified)
acme.sh --server https://thameur.org/acme/directory \
  --revoke -d example.com
Revoke — key compromise
acme.sh --server https://thameur.org/acme/directory \
  --revoke -d example.com \
  --reason 1
Revoke — superseded (ECDSA)
acme.sh --server https://thameur.org/acme/directory \
  --revoke -d example.com \
  --reason 4 --ecc

Testing

Use the local ACME Endpoint Tester with the directory URL above to inspect every request and response, including raw JWS exchanges and revocation.

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action