Limitations for Using ACME Certificates

  • ACME certificates do not support:

    • Site-to-site VPN

    • Management interface in the converged mode

    • DNS authentication (DNS-01); only HTTP-01 is supported

    • Domain override

    • Wildcard certificates: These certificate secure a single domain and multiple subdomains using a wildcard character (*) in the domain name field.

    • Clustering

  • ACME certificates support only 2048, 3072, and 4096 key sizes for RSA keys and 256, 384 and 521 for ECDSA keys.

  • ACME enrolment is not compatible with control plane ACLs.

    When using Let's Encrypt with control plane ACLs:

    1. Disable the ACL before the ACME enrollment to allow port 80 access.

    2. Enroll the ACME certificate.

    3. Verify the enrollment.

    4. Re-enable the ACL.

    When using ACME servers other than Let's Encrypt with control plane ACLs, include the server's FQDN in the ACL.