Common mistakes: HTTP practical demonstration DCV method
In this article, we address some of the more common issues encountered when troubleshooting an HTTP Practical Demonstration check that was unsuccessful.
Background
To validate your domain using the HTTP Practical Demonstration and HTTP Practical Demonstration with unique filename DCV methods, you need at least two items. You need a third item for the unique filename method.
DigiCert-generated random value, applicable to both methods
DigiCert-generated unique filename, applicable to just the HTTP Practical Demonstration with unique filename DCV method.
Location where you need to place the .txt file containing the random value on your website, applicable to both methods.
http://[domain-name]/.well-known/pki-validation/fileauth.txthttp://[domain-name]/.well-known/pki-validation/{unique-filename}.txt
The URL does two things:
It contains the FQDN (fully qualified domain name) or IP address you want to validate.
It tells DigiCert where to look so that we can find the .txt file with the DigiCert-generated random value.
Don’t modify the URL provided
If you modify the URL, we can't find the .txt file with the DigiCert-generated random value. So, don't change the FQDN, capitalize a lowercase letter, or forget to add a period.
For example, if we provide you with this URL: http://[your-domain]/.well-known/pki-validation/fileauth.txt:
Don’t add www to it (
http://www.your-domain]/.well-known/pki-validation/fileauth.txt)Don’t capitalize a letter that isn’t capitalized in the original URL, such as "pki" (
http://[your-domain]/.well-known/PKI-validation/fileauth.txt).
Don’t place the .txt on a different domain or subdomain
To validate [your-domain], place the .txt file on the exact domain you want to validate, the one we generated the URL for. We don't look at a different domain or subdomain to find our random value. We look at the domain you want to validate.
For example, if you need [your-domain] validated, we generate a URL for this domain: http://[your-domain]/.well-known/pki-validation/fileauth.txt.
Don’t place the .txt file on [sub.your-domain] or modify the URL and place it on [your-other-domain]. We can’t find the .txt file on these domains. We’re looking for it on [your-domain], the domain from your certificate order, or the domain you submitted for prevalidation.
[your-domain] and www.[your-domain]
To validate www.[your-domain] and [your-domain], you must validate www.[your-domain] and [your-domain] separately.
As of November 16, 2021, you can use the file-based DCV method to demonstrate control over FQDNs, exactly as named.
Learn more about the changes to this domain validation policy.
Free base domain SAN
Did you receive a free base domain SAN on your TLS certificate? Make sure you place the .txt file on the base domain. We need to validate the domain on the Transport Security Layer (TLS) certificate order.
Don’t include any additional content in the fileauth.txt file
When using redirects in your HTTP Practical Demonstration DCV process, they must begin with the domain you’re validating and include the same base domain.
Requirements for placing the .txt file on a page with multiple redirects
When using redirects in your HTTP Practical Demonstration DCV process, they must begin with the domain you’re validating and include the same base domain.
Redirect requirements when using HTTP Practical Demonstration per the TLS Baseline Requirements
Redirect must also be:
Initiated at the HTTP protocol layer
The result of a 301, 302, or 307 HTTP status code response
To resource URLs with either the "http" or "https" scheme
To resource URLs accessed via authorized ports