diff --git a/docs/pages/application-access/getting-started.mdx b/docs/pages/application-access/getting-started.mdx
index 9b107f121a734..785ee588fa51d 100644
--- a/docs/pages/application-access/getting-started.mdx
+++ b/docs/pages/application-access/getting-started.mdx
@@ -31,31 +31,17 @@ $ docker run -d -p 3000:3000 grafana/grafana
 ```
 
 ## Step 2/3. Install and configure Teleport
+(!docs/pages/includes/permission-warning.mdx!)
 
 Download the latest version of Teleport for your platform from our
 [downloads page](https://goteleport.com/teleport/download).
 
-Teleport requires a valid TLS certificate to operate and can fetch one automatically
-using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol.
-
 We will assume that you have configured DNS records for `teleport.example.com`
 and `*.teleport.example.com` to point to the Teleport node.
 
-(!docs/pages/includes/permission-warning.mdx!)
-
-Let's generate a Teleport config with ACME enabled:
-
-```code
-$ sudo teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com -o file
-```
+Teleport uses TLS to communicate with clients, and can fetch certificates automatically via Let's Encrypt.
 
-<Admonition
-  type="note"
-  title="Web Proxy Port"
->
-  Teleport uses [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01)
-  ACME challenge to validate certificate requests which only works on port `443`. Make sure your Teleport proxy is accessible on port `443` when using ACME for certificate management.
-</Admonition>
+(!docs/pages/includes/acme.mdx!)
 
 Now start Teleport and point it to the application endpoint:
 
diff --git a/docs/pages/application-access/guides/connecting-apps.mdx b/docs/pages/application-access/guides/connecting-apps.mdx
index 4468d6544d894..e13f68ec7af53 100644
--- a/docs/pages/application-access/guides/connecting-apps.mdx
+++ b/docs/pages/application-access/guides/connecting-apps.mdx
@@ -59,31 +59,13 @@ In our example:
 - `teleport.example.com` will host the Access Plane.
 - `*.teleport.example.com` will host all of the applications e.g. `grafana.teleport.example.com`.
 
-Teleport can obtain a certificate automatically from Let's Encrypt using
-[ACME](https://letsencrypt.org/how-it-works/) protocol.
-
-Enable ACME in your proxy config:
-
-```yaml
-proxy_service:
-  enabled: "yes"
-  web_listen_addr: "0.0.0.0:443"
-  public_addr: "teleport.example.com:443"
-  acme:
-    enabled: "yes"
-    email: alice@example.com
-```
-
-<Admonition
-  type="note"
-  title="Web Proxy Port"
->
-  Teleport uses [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01)
-  ACME challenge to validate certificate requests which only works on port `443`.  Make sure your Teleport proxy is accessible on port `443` when using ACME for certificate management.
-</Admonition>
-
-Alternatively, if you have obtained certificate/key pairs for your domain
-(e.g. using [certbot](https://certbot.eff.org/)), they can be provided directly
+You can either configure Teleport to obtain a TLS certificate via Let's Encrypt or use an existing certificate and private key (e.g. using [certbot](https://certbot.eff.org/)).
+<Tabs>
+<TabItem label="Let's Encrypt">
+(!docs/pages/includes/acme.mdx!)
+</TabItem>
+<TabItem label="Existing Credentials">
+If you have obtained certificate/key pairs for your domain they can be provided directly
 to the proxy service:
 
 ```yaml
@@ -97,6 +79,8 @@ proxy_service:
   - key_file: "/etc/letsencrypt/live/*.teleport.example.com/privkey.pem"
     cert_file: "/etc/letsencrypt/live/*.teleport.example.com/fullchain.pem"
 ```
+</TabItem>
+</Tabs>
 
 ### Create a user
 
diff --git a/docs/pages/database-access/getting-started.mdx b/docs/pages/database-access/getting-started.mdx
index 51e4f6ff3cc42..2fd4868f87660 100644
--- a/docs/pages/database-access/getting-started.mdx
+++ b/docs/pages/database-access/getting-started.mdx
@@ -81,25 +81,9 @@ Download the appropriate version of Teleport for your platform from
 our [downloads page](https://goteleport.com/teleport/download).
 
 Teleport requires a valid TLS certificate to operate and can fetch one automatically
-using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol.
+using Let's Encrypt.
 
-We will assume that you have configured DNS records for `teleport.example.com` and
-`*.teleport.example.com` to point to the node where you're launching Teleport.
-
-Let's generate a Teleport config with ACME enabled:
-
-```code
-$ teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com > /tmp/teleport.yaml
-```
-
-<Admonition
-  type="warning"
-  title="Web Proxy Port"
->
-  Teleport's ACME protocol integration currently requires web proxy to run on
-  port 443 so open /tmp/teleport.yaml and update `proxy_service.web_listen_addr`
-  and `proxy_service.public_addr` to use port 443 instead of the default 3080.
-</Admonition>
+(!docs/pages/includes/acme.mdx!)
 
 Now start Teleport and point it to your Aurora database instance. Make sure to
 update the database endpoint and region appropriately.
diff --git a/docs/pages/getting-started/linux-server.mdx b/docs/pages/getting-started/linux-server.mdx
index c23165f0389df..19bfa25dc403a 100644
--- a/docs/pages/getting-started/linux-server.mdx
+++ b/docs/pages/getting-started/linux-server.mdx
@@ -96,18 +96,7 @@ Next, generate a configuration file for Teleport using the `teleport configure`
 
 <Tabs>
   <TabItem label="Public internet deployment with Let's Encrypt">
-  Teleport uses the ACME protocol to request automatic TLS certificates from Let's Encrypt, which accesses an HTTP endpoint on your Teleport host in order to complete authentication challenges.
-
-  Use the following command to configure Teleport:
-
-  ```code
-  $ sudo teleport configure --acme --acme-email=your-email@example.com --cluster-name=tele.example.com -o file
-  # Wrote config to file "/etc/teleport.yaml". Now you can start the server. Happy Teleporting!
-  ```
-
-  The `--acme-email` flag indicates an email address that Let's Encrypt can use for notifications, and does *not* require the same domain name as your Teleport host. 
-  
-  For the `--cluster-name` flag, enter the domain name you used when creating a DNS A record earlier.
+  (!docs/pages/includes/acme.mdx!)
 
   </TabItem>
 
diff --git a/docs/pages/includes/acme.mdx b/docs/pages/includes/acme.mdx
new file mode 100644
index 0000000000000..8464812a887d4
--- /dev/null
+++ b/docs/pages/includes/acme.mdx
@@ -0,0 +1,21 @@
+Let's Encrypt verifies that you control the domain name of your Teleport deployment by communicating with the HTTPS server listening on port 443 of your Teleport Proxy Service.
+
+You can configure Teleport to complete the Let's Encrypt verification process—called the ACME protocol—by running the following `teleport configure` command, where `tele.example.com` is the domain name of your Teleport cluster and `user@example.com` is an email address used for notifications (you can use any domain):
+
+```code
+teleport configure --acme --acme-email=user@example.com --cluster-name=tele.example.com
+```
+
+The `--acme`, `--acme-email`, and `--cluster-name` flags will add the following settings to your Teleport configuration file:
+
+```yaml
+proxy_service:
+  enabled: "yes"
+  web_listen_addr: :443
+  public_addr: tele.example.com:443
+  acme:
+    enabled: "yes"
+    email: user@example.com
+```
+
+Port 443 on your Teleport Proxy Service host must allow traffic from all sources.
diff --git a/docs/pages/includes/database-access/start-auth-proxy.mdx b/docs/pages/includes/database-access/start-auth-proxy.mdx
index 831667c42ce21..116c2dd655968 100644
--- a/docs/pages/includes/database-access/start-auth-proxy.mdx
+++ b/docs/pages/includes/database-access/start-auth-proxy.mdx
@@ -3,24 +3,13 @@ Download the latest version of Teleport for your platform from our
 installation [instructions](../../installation.mdx).
 
 Teleport requires a valid TLS certificate to operate and can fetch one automatically
-using Let's Encrypt [ACME](https://letsencrypt.org/how-it-works/) protocol. We
+using Let's Encrypt. We
 will assume that you have configured DNS records for `teleport.example.com` and
 `*.teleport.example.com` to point to the Teleport node.
 
-Generate Teleport config with ACME enabled:
+(!docs/pages/includes/acme.mdx!)
 
-```code
-$ teleport configure --cluster-name=teleport.example.com --acme --acme-email=alice@example.com -o file
-```
-
-<Admonition type="note" title="Web Proxy Port">
-  Teleport uses [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01)
-  ACME challenge to validate certificate requests which only works on port `443`.
-  As such, in order to use ACME for certificate management, web proxy needs to
-  be accessible on port `443`.
-</Admonition>
-
-Start Teleport Auth and Proxy services:
+Next, start the Teleport Auth and Proxy services:
 
 ```code
 $ sudo teleport start
diff --git a/docs/pages/server-access/getting-started.mdx b/docs/pages/server-access/getting-started.mdx
index 4ea5d86a74d44..3dd439885974d 100644
--- a/docs/pages/server-access/getting-started.mdx
+++ b/docs/pages/server-access/getting-started.mdx
@@ -117,15 +117,9 @@ This guide introduces some of these common scenarios and how to interact with Te
 
 3. Configure Teleport on the *Bastion Host*.
 
-   Teleport will now automatically acquire an X.509 certificate using the ACME protocol.
+   Teleport uses TLS to communicate with clients, and can fetch certificates automatically via Let's Encrypt.
 
-   ```code
-   # Configure Teleport with TLS certs
-   $ sudo teleport configure \
-     --acme --acme-email=your_email@example.com \
-     --cluster-name=tele.example.com \
-     -o file
-   ```
+   (!docs/pages/includes/acme.mdx!)
 
    Run the command above on `tele.example.com`.