Applying for SSL Certificates via ACME in ServBay
ServBay supports the ACME protocol for automatically obtaining SSL/TLS certificates for your local development websites. The ACME (Automated Certificate Management Environment) protocol is a standard for automated certificate lifecycle management, including issuance, renewal, and revocation. Through ServBay's ACME management panel, you can easily configure trusted SSL certificates for your local sites, which is essential for simulating production environments and testing HTTPS features.
By default, ServBay uses ZeroSSL as the preferred CA for certificate issuance, but you can also choose other ACME-compatible Certificate Authorities (CAs), such as Let's Encrypt or Google Trust Services.
TIP
To make your local development environment as close to production as possible, using a trusted SSL certificate is crucial. ServBay’s ACME capabilities make the entire process exceptionally simple.
Key Concepts Explained
Understanding the following key concepts will help you make better use of ServBay’s ACME features:
- ACME Protocol: An open standard for automating interactions between Certificate Authorities (CAs) and servers, enabling certificate requests, renewals, and management.
- DNS-01 Validation (DNS API Method): ACME supports multiple domain ownership validation methods. ServBay primarily uses DNS-01, which means the CA will ask you to add a specific TXT record in your domain’s DNS configuration. Once the CA verifies the correct record exists, domain ownership is confirmed. Advantages of this approach include:
- Your local development environment doesn't need to be accessible from the public internet.
- It works even if local ports 80/443 are blocked by firewalls or your ISP.
- External Account Binding (EAB): For certain CAs (e.g., Google Trust Services or ZeroSSL), your ACME client (ServBay’s integrated acme.sh) needs to be bound to your CA account via EAB—typically with a Key ID and HMAC key—the first time you request a certificate.
- ECC vs RSA Certificates:
- RSA: A traditional encryption algorithm with high compatibility, but requires longer keys (e.g., 2048 or 4096 bits) for strong security, resulting in higher computational overhead.
- ECC (Elliptic Curve Cryptography): A modern algorithm that achieves the same security level with much shorter keys (e.g., 256 or 384 bits). ECC certificates offer better performance, faster handshakes, lower bandwidth consumption, and stronger forward secrecy. ServBay recommends ECC by default.
Prerequisites
ServBay uses the DNS API method for ACME certificate requests, so your local site doesn’t need to be publicly accessible. Before applying for SSL certificates via ACME, please ensure you meet the following requirements:
- Own a Domain Name: You must have a registered domain and control over its DNS records.
- Obtain DNS Provider API Key: During ACME issuance, the process requires adding/removing TXT records for validation automatically via the DNS API. So, get the API Key or credentials from your DNS service provider (which may differ from your registrar). See the official
acme.shWiki’s DNS API section (English): How to use DNS API for supported DNS providers and how to obtain their API keys. - Retrieve EAB Information (if using Google Trust Services or ZeroSSL for the first time): If you opt for Google Trust Services, obtain EAB credentials from Google Cloud. Reference Google Cloud’s official documentation: Obtaining EAB credentials from Google Cloud. ZeroSSL may require email verification or an API key for the first request.
Applying for SSL Certificates via ACME in ServBay
Follow these steps to request an SSL certificate for your local development site in ServBay:
Open the ServBay Management Panel Launch ServBay and access the management panel via the system menu bar or Dock icon.
Navigate to SSL Certificate Management In the left sidebar of the management panel, click on
SSL Certificates.Start a New Certificate Request In the SSL certificate management area (top right), click the
+button and selectApply for New Certificate.Configure Certificate Details
- Certificate Name: Enter a descriptive name for easy identification (e.g.,
servbay-demo-ssl). - Usage: Select
TLS/SSL. - Request Method: Choose
ACME.
- Certificate Name: Enter a descriptive name for easy identification (e.g.,
Select the Certificate Authority (CA) Under
Issuer, choose your preferred CA. The default isZeroSSL, but you can pickLet's EncryptorGoogle Trust Services. We'll useZeroSSLas an example here.Select the DNS API Provider From the
DNS API Providerdropdown, select your DNS host (e.g.,Cloudflare). This is the actual DNS provider hosting your records, which may differ from your domain registrar.Choose Certificate Algorithm and Key Length
- Algorithm: The default and recommended is
ECCfor its performance and security. For compatibility with older devices, you may selectRSA. - Key Length: For ECC, the default is
384bits (secure for most use-cases). For RSA, common choices are2048or4096bits.
- Algorithm: The default and recommended is
Set up Verification Information Based on your chosen
IssuerandDNS API Provider, relevant fields will appear for required verification info.- For ZeroSSL, you may need to input your email address.
- For Cloudflare DNS API, provide your API Key or access credentials—as per the guidance for your provider in the
acme.shWiki.
WARNING
Note: Only paste the value of the API key or secret. Do not include shell command prefixes like
exportin the input field.Set Domains In the
Domainfield, enter your domain (e.g.,servbay.demoor*.servbay.demo). For wildcard domains (*.servbay.demo), confirm your DNS provider supports automated wildcard TXT record management.Start the Request After confirming all details, click the
Requestbutton. ServBay will use the integratedacme.shtool and your DNS API info to verify your domain and apply for the certificate from the CA.

The application process may take some time, depending on DNS propagation and CA response speed. You can check logs or the certificate list in ServBay for progress. Once issued, your certificate will appear in the SSL Certificates list.
Stopping an Ongoing Request
While processing an ACME request, the Request button switches to Stop Request. If the process is stuck (e.g., due to slow DNS propagation or incorrect credentials), click Stop Request to terminate the current acme.sh process. You can then correct any information and resubmit, without waiting for a timeout.
Advanced Options: DNS Propagation Wait & Skipping DNS Self-Check
By default, acme.sh will, after adding the TXT record for validation, attempt to check locally if it’s in effect before notifying the CA. Certain network environments (such as those with local DNS hijacking, fake-ip mode, or mismatched local/public DNS resolution) may cause local validation to fail or hang, even if the TXT record is actually correct globally.
To address this, ServBay provides options during certificate request:
- Wait Seconds: Set how long to wait for DNS propagation (default:
120seconds). Before notifying the CA, ServBay waits to allow DNS records to propagate globally. - Skip DNS Self-Check: If enabled,
acme.shskips local DNS validation and sends the request to the CA after waiting the configured time. Useful if local DNS validation is unreliable due to hijacking (e.g., fake-ip mode).
TIP
For most users, with normal network and DNS environments, you don’t need to change these advanced options—defaults are fine. Only use “Skip DNS Self-Check” and increase wait time if you are sure the TXT record is correct globally but local validation keeps failing.
Using the Certificate in ServBay Site Configuration
Once your ACME certificate is issued, you can apply it to your website configuration in ServBay:
- Go to the
Sitessection in the left sidebar of the management panel. - Choose the site you wish to enable SSL for, then click the edit (pencil) icon on the right.
- In the site configuration page, locate
SSL Certificate. - From the dropdown, select the ACME certificate you just obtained.
- Make sure the
Enable SSLtoggle is switched on. - Save the configuration. Your site should now be accessible via HTTPS.

Renewal of ACME Certificates
Certificates from Let's Encrypt, ZeroSSL, and similar ACME CAs typically expire after 90 days. To ensure uninterrupted HTTPS protection, certificates need to be renewed before expiry.
ServBay automatically monitors the validity of certificates issued via ACME. When your certificate is nearing its expiry date, ServBay will try to renew it using your previously configured DNS API credentials.
As long as your DNS API credentials are valid and DNS hosting remains stable, you do not need to manually renew ACME certificates—ServBay handles everything in the background.
Frequently Asked Questions (FAQ) & Troubleshooting
- Application failed, DNS validation error?
- Double-check your DNS API credentials—make sure they are correct and have permission to modify TXT records.
- Confirm the
DNS API Provideryou chose in ServBay matches your actual DNS provider. - DNS changes may take several minutes or more to propagate—try to reapply after waiting.
- Make sure you entered your domain name(s) correctly.
- If TXT records are correct on public DNS but local validation fails (often due to DNS hijacking or fake-ip modes), try enabling the
Skip DNS Self-Checkoption and increase theWait Secondsaccordingly (see “Advanced Options” above).
- Application failed, EAB-related error?
- If you’re using Google Trust Services or ZeroSSL for the first time, ensure you’ve obtained and correctly entered your EAB creds.
- If you’ve previously succeeded but now fail, credentials may have expired or become invalid—get fresh EAB details.
- Application failed, rate limit error?
- Most CAs rate-limit certificate requests per domain or IP over time. Applying for too many certificates too quickly can trigger limits. Wait a few hours or days before retrying.
- Certificate application succeeded, but browser still shows site as not secure?
- Ensure the new certificate is applied to your site in ServBay and SSL is enabled.
- Clear your browser cache or try Incognito/Private mode for testing.
- Check your local Hosts file or network settings to ensure they point to ServBay correctly.
- When does ServBay attempt auto-renewal? ServBay typically starts renewal a set number of days before expiry (e.g., 30 days). As long as ServBay is running and network access is normal, renewals happen silently in the background.
Conclusion
ServBay offers powerful and user-friendly ACME integration, allowing developers to efficiently obtain and manage trusted SSL/TLS certificates for local development sites via the DNS API. This not only simplifies certificate management but—most importantly—helps create a production-like, HTTPS-ready local environment for more effective development and testing.
We hope this guide helps you seamlessly configure SSL certificates using ACME in ServBay, enhancing your local development experience.
