In collaboration with the Internet Engineering Task Force (IETF) community, we have developed the ACME (Automatic Certificate Management Environment) standard, which enables completely automated certificate issuance. This pioneering open standard is now supported by a multitude of clients across the globe, simplifying the previously complex process of obtaining digital certificates. Additionally, on the server side, we are excited to share that we have two open-source ACME server implementations available to facilitate developers.

The more extensive implementation, which our team utilizes in production environments, is aptly named Boulder. Boulder is equipped to manage all aspects and intricacies necessary for a functioning certificate authority. This includes essential components such as policy compliance, database interfaces, challenge verifications, and logging mechanisms. Developers looking to run a real certificate authority, including internal, non-publicly-trusted ACME certificate authorities within their organizations, can customize and deploy Boulder to meet their specific needs.

On the other hand, we have a smaller implementation known as Pebble. Pebble is exclusively designed for testing purposes and should not be used as a production certificate authority. Both we and ACME client developers leverage Pebble for various automated and manual testing scenarios. For instance, Certbot, a widely-used ACME client, has relied on Pebble during its development for years, allowing it to carry out a series of fundamental yet realistic evaluations on its ability to request and obtain certificates from an ACME server.

Pebble: A User-Friendly Solution for ACME Client Testing

For developers or teams creating ACME client applications, Pebble serves as an invaluable resource, addressing common challenges such as verifying the correct implementation of ACME protocols. With Pebble, developers can ascertain whether they can successfully obtain certificates from a certificate authority without needing a real domain name or facing the constraints of CA rate limits during routine testing.

The beauty of Pebble lies in its simplicity. It operates entirely in RAM without requiring any dependencies or persistent storage. Developers can get Pebble operational with a single command in Golang within mere seconds and immediately commence making local ACME requests. This ease of setup is perfect for incorporation into a clients integration test suite, enabling realistic integration testing without the usual worries about real domains, CA limitations, or potential network issues.

Pebbles utility is evident in its use within the official test suites for numerous ACME clients, including getssl, Lego, Certbot, simp_le, and others. In many instances, changes committed to the codebases of ACME clients are automatically tested against Pebble, ensuring ongoing compatibility and functionality.

Pebble vs. Boulder: A Deliberate Design Choice

Pebble has been intentionally designed to differ from Boulder in several aspects, providing clients with the opportunity to engage with slightly different ACME implementations. According to the Pebble code documentation, it states:

[I]n places where the ACME specification allows customization or CA choice, Pebble aims to make choices different from Boulder.

For example, while the Lets Encrypt service offers its newAccount resource at the endpoint /acme/new-acct, Pebble opts for a different name, /sign-me-up. This distinction encourages clients to refer to the directory rather than assuming a particular path. Other notable differences include:

  • Pebble intentionally rejects 5% of all requests as invalid due to nonce errors, even if the nonce is otherwise valid, allowing clients to test their responses to such error conditions.
  • Pebble reuses valid authorizations only 50% of the time, enabling clients to validate their ability to perform checks under unexpected circumstances.
  • Pebble truncates timestamps with a different level of precision compared to Boulder.
  • Unlike Boulder, Pebble respects the notBefore and notAfter fields in new-order requests.

This design philosophy ensures that ACME clients can effectively work with both versions, testing their compliance with the ACME specification without making assumptions about the Lets Encrypt services behavior. As a result, this approach fosters compatibility with other ACME certificate authorities and prepares clients for future iterations of Lets Encrypts API.

A Valuable Resource as ACME Evolves

Pebble serves not only Lets Encrypt but also the broader community of ACME client developers as we continue to innovate and evolve the ACME standard. Often, we test new ACME features by implementing them in Pebble, at least in a simplified form, before incorporating them into Boulder. This strategy allows both our team and client developers to experiment with new features before they are rolled out in our staging service, enabling rapid iteration and testing.

We strongly encourage ACME client developers to utilize a copy of Pebble to rigorously test their clients functionality and ensure interoperability with the ACME standard. This practice enhances the accuracy and robustness of their client applications, ultimately benefiting the entire ecosystem.

Get Started with Pebble Today

Are you interested in trying out Pebble with your ACME client right now? Setting it up on a Unix-like system is straightforward. Simply run the following commands:

git clone https:cd pebblego run ./cmd/pebble

In just a few seconds, youll have a fully operational ACME CA directory available at https:

We welcome contributions to Pebbles codebase. ACME client developers are encouraged to add simple versions of ACME features not currently tested in Pebble to enhance their test suites. Additionally, if you identify any unintended discrepancies between Pebble and Boulder or between Pebble and the ACME specification, we would love to hear from you.