pebble
Pebble is a lightweight ACME test server built by Let's Encrypt to help developers test ACME client implementations. It mimics the Let's Encrypt protocol without the production complexity, making it ideal for integration testing and protocol experimentation.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | letsencrypt/pebble |
| Owner | letsencrypt |
| Primary language | Go |
| License | MPL-2.0 — OSI-approved |
| Stars | 782 |
| Forks | 175 |
| Open issues | 40 |
| Latest release | v2.10.1 (2026-04-20) |
| Last updated | 2026-07-03 |
| Source | https://github.com/letsencrypt/pebble |
What pebble is
Go-based RFC 8555 ACME server that intentionally drops state between invocations and randomizes keys/certificates to prevent production misuse. Supports HTTP-01, TLS-ALPN-01, and DNS-01 challenge validation with configurable validation ports (default 5002 for HTTP, 5001 for TLS-ALPN).
Get the pebble source
Clone the repository and explore it locally.
git clone https://github.com/letsencrypt/pebble.gitcd pebble# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go toolchain (go install) or Docker; no pre-built binaries beyond container images distributed via GitHub Container Registry.
- Configure validation ports (5002 HTTP-01, 5001 TLS-ALPN-01) to avoid privilege escalation or port conflicts; ports are user-configurable via JSON config.
- Use PEBBLE_VA_NOSLEEP environment variable for full-speed testing or PEBBLE_VA_SLEEPTIME to control artificial validation delays (default 0-15 seconds).
- DNS resolution defaults to system resolver; configure -dnsserver flag or use pebble-challtestsrv sidecar for reliable DNS-01 validation in isolated environments.
- Enable -strict false flag if stability across releases is critical for CI; default may change to -strict true in future versions, introducing breaking changes.
When to avoid it — and what to weigh
- Production Certificate Authority Needs — Pebble explicitly drops all state between invocations, randomizes keys, and is designed with guardrails against production use. Do not deploy to production under any circumstances.
- Rate-Limit Testing — Pebble does not enforce rate limits, making it unsuitable for validating client behavior under quota constraints. Boulder or Let's Encrypt staging is required for that testing.
- Pre-Authorization or Cross-Account Revocation — Pebble lacks support for ACME pre-authorization and does not support revoking certificates issued by different accounts, limiting protocol coverage versus Boulder.
- Strict Domain Validation Requirements — Pebble performs less input validation than Boulder/Let's Encrypt; domain names rejected by production may be accepted, creating false-positive test results.
License & commercial use
Mozilla Public License 2.0 (MPL-2.0), a weak copyleft OSI-approved license. Permits commercial use, modification, and distribution provided source changes are disclosed under the same license; no patent grant.
MPL-2.0 allows commercial use in testing/development contexts (e.g., as part of a CI pipeline or internal QA tool). However, if you modify Pebble and distribute the modified version, those changes must be open-sourced under MPL-2.0. Consult legal review for embedded or redistributed scenarios. Use as-is in internal tools is unencumbered.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Pebble is intentionally insecure for testing: randomizes keys, drops state, and includes guardrails against production use. TLS certificates are generated randomly; accept them in test tools via INSECURE_SKIP_VERIFY or custom CA bundles. Validate ports (5002, 5001, 14000, 15000) are not exposed to untrusted networks in shared environments. Stateless design eliminates persistent credential compromise risk but also means no audit trail.
Alternatives to consider
Boulder (Let's Encrypt)
Production ACME server with full protocol support, rate limiting, and persistent storage. Operationally complex; requires MariaDB, gRPC, and orchestration. Use for production or comprehensive protocol testing.
Let's Encrypt Staging (acme-staging-v02.api.letsencrypt.org)
Free, public staging environment with production-like behavior, rate limits, and real certificate validation. Requires external network; not suitable for offline or air-gapped CI/CD. Recommended for final pre-production client validation.
ACME.sh / Certbot with --test-mode
Lightweight ACME clients with built-in test modes pointing to Let's Encrypt staging. Simpler for end-to-end testing of certificate provisioning but does not provide a local test server for other clients to validate against.
Build on pebble with DEV.co software developers
Start with Pebble today using Docker Compose or Go. Ideal for CI/CD integration and protocol development. Check the GitHub repo for examples and documentation.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
pebble FAQ
Can I use Pebble in production?
Why does Pebble randomize keys and certificates?
How do I test DNS-01 challenges with Pebble?
What ACME features does Pebble not support?
Work with a software development agency
Need help beyond evaluating pebble? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source testing integrations — and maintain them long-term.
Ready to Test ACME Implementations?
Start with Pebble today using Docker Compose or Go. Ideal for CI/CD integration and protocol development. Check the GitHub repo for examples and documentation.