Skip to main content

ACME challenges

When validating a domain with these ACME challenges, make sure to include challenge http or challenge dns in your sudo cerbot command.

DigiCert supports two ACME challenges:

  • HTTP-01 (HTTP Practical Demonstration DCV)

  • DNS-01 (DNS TXT record DCV)

Acronyms in this article: Domain Name System (DNS), organization validation (OV), extended validation (EV), domain validation (DV), Hypertext Transfer Protocol (HTTP), domain control validation (DCV), Transport Security Layer (TLS), Application Programming Interface (API), Transmission Control Protocol (TCP)

Using the ACME challenges for DV certificates

If you’re using ACME to request DV certificates, you must use one of the ACME challenges to validate your domains.

Why can't I validate domains in advance?

DigiCert DV certificates don't support domain validation reuse. Therefore, you must validate the domains on your DV certificate as part of the certificate issuance process each time you order a certificate.

HTTP-01 challenge

The HTTP-01 challenge is the most widely used ACME challenge type. It’s the easiest ACME challenge to automate because the ACME client does the work automatically. It adds the file containing a DigiCert-generated random value at a predetermined location on your website server. If you set up your environment correctly, the ACME client does the domain validation for you. See Allowlists and Port 80 later in this article.

Items to note when using the HTTP-01 challenge

  • You can use the HTTP-01 challenge to validate a domain that has a CNAME record pointing to another domain (for example, yourdomain.com points to yourdomain.net).

  • You can’t use the HTTP-01 challenge to validate IPv4 and IPv6 addresses.

    DigiCert doesn't support using the HTTP-01 challenge to validate IP addresses.

    • If your OV or EV TLS certificate includes an IP address, you must prevalidate your IP addresses before using ACME. Or you must use the manual certificate request and installation process. Both these options allow you to use the HTTP Practical Demonstration DCV method to validate your IP addresses.

    • If your DV certificate includes an IP address, you must use the manual certificate request and installation process. You can’t use ACME to get a DigiCert DV certificate that includes an IP address.

      The manual certificate request and installation workflow allow you to use HTTP Practical Demonstration to validate your IP addresses while the order is pending.

  • You can't use the HTTP-01 challenge to:

    • Validate wildcard domains, such as *.example.com.

    • Validate subdomains while validating a higher-level domain.

      For example, if you want to cover www.example.com, mail.example.com, and one.example.com while validating the higher-level domain example.com, use another DCV method.

    • Validate entire domains and subdomains.

Allowlists

Depending on your firewall configurations, you may need to add specific DigiCert IP addresses to your "allowlist." For the HTTP Practical Demonstration domain validation process to succeed, DigiCert must access the file containing the DigiCert-generated random value at the predetermined location.

Learn more about the IP addresses DigiCert uses for the HTTP Practical Demonstration check.

Port 80

To use the HTTP-01 validation, ensure your server is configured to respond on TCP port 80. The ACME client adds lines to the virtual host configuration for port 80.

If your firewall restricts access to port 80—including blocks based on geographic location—you must unblock it to allow traffic.

DNS-01 challenge

The DNS-01 is less used and a bit harder to automate. By default, you must manually create the DNS TXT record. Then, the ACME client can add the required DNS validation parameter, along with the DigiCert random value, to your DNS TXT record.

Wildcard domains

For certificates with wildcard domains, you must use the DNS-01 challenge to validate them as part of your ACME certificate request, issuance, and installation process. The HTTP-01 challenge doesn’t support wildcard domains.

Suggestions for automating the DNS-01 challenge

For the DNS-01 challenge to be effective, you must automate this process. Use one of these options to automate this process:

  • Check with your DNS provider to see if they have a supported API that you can use to automate the creation of DNS TXT records.

  • Check with your DNS provider to see if they use plugins. For example, Certbot has plugins for many widely used DNS providers, such as DNS Made Easy.

  • Create your own script for making the DNS updates.

Resources

In this section: