For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
richaed's avatar
richaed
Icon for Altocumulus rankAltocumulus
Dec 28, 2025

I have questions regarding concerns when installing the ACME client directly on BIG-IP.
- Is it necessary to install and configure the ACME client each time a new load balancer is deployed?
- When equipment fails or is replaced, is it necessary to reinstall and reconfigure it on the replacement unit?
- Are there any ACME-related items that should be backed up in preparation for failures?
- If there are many load balancers, is running the ACME client within BIG-IP unsuitable?

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 28, 2025

- Is it necessary to install and configure the ACME client each time a new load balancer is deployed?

[K] Yes.
- When equipment fails or is replaced, is it necessary to reinstall and reconfigure it on the replacement unit?

[K] Yes.
- Are there any ACME-related items that should be backed up in preparation for failures?

[K] This is described in the project page: https://github.com/f5devcentral/kojot-acme, but mostly you need to save your config files in /shared/acme. The client uses these config files as "provider configs". instructing how to talk to the ACME server, and uses the data group entries as certificate configs, instructing which certificates to manage.
- If there are many load balancers, is running the ACME client within BIG-IP unsuitable?

[K] I assume you're asking if it's okay to run on one or a few BIG-IPs, vs. all of them. If that's the case, understand that the HTTP-01 validation is done at the BIG-IP that hosts the application, so you need the client on the BIG-IP that needs ACME cert renewal.