Install an ACME client (Certbot, acme.sh, or a language-specific library) and generate or reuse an account key pair for registration with the ACME server
Submit a certificate order for your domain(s) to the ACME server's newOrder endpoint; the server responds with a list of authorization challenges
For the http-01 challenge, create a file at /.well-known/acme-challenge/TOKEN on your web server containing the key authorization string provided by your ACME client; the file must be served over plain HTTP on port 80
Notify the ACME server that the challenge is ready; the server will HTTP GET the challenge URL to verify it; once verified, the authorization is marked valid
Generate a certificate signing request (CSR) with your domain's private key and submit it to the ACME server's finalize endpoint; download the issued certificate chain
Configure your web server to use the new certificate and private key; schedule automated renewal at least 30 days before the 90-day expiry and test renewal in a staging environment first using the Let's Encrypt staging directory
Known gotchas
Let's Encrypt enforces rate limits on certificate issuance per registered domain per week; test against the staging environment to avoid exhausting production limits during development
The challenge file must be accessible without redirects from HTTP; if your server automatically redirects port 80 to HTTPS, the validation will fail unless you add an exception for the challenge path
Wildcard certificates require the dns-01 challenge, not http-01; http-01 can only validate specific hostnames that resolve to the server running the ACME client
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp