Skip to main content

Common mistakes when using the HTTP practical demonstration DCV methods

In this article, we address some of the more common issues encountered when troubleshooting an HTTP Practical Demonstration check that was unsuccessful.

Background

To validate your domain using the HTTP Practical Demonstration and HTTP Practical Demonstration with unique filename DCV methods, you need at least two items. You need a third item for the unique filename method.

  1. DigiCert-generated random value, applicable to both methods.

  2. DigiCert-generated unique filename, applicable to just the HTTP Practical Demonstration with unique filename DCV method.

  3. Location where you need to place the .txt file containing the random value on your website, applicable to both methods.

    • http://www.your-domain]/.well-known/pki-validation/fileauth.txt

    • http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt

    The URL does two things:

    • It contains the FQDN (fully qualified domain name) or IP address you want to validate.

    • It tells DigiCert where to look so that we can find the .txt file with the DigiCert-generated random value.

Don’t modify the URL provided

If you modify the URL, we can't find the .txt file with the DigiCert-generated random value. So, don't change the FQDN, capitalize a lowercase letter, or forget to add a period.

For example, if we provide you with this URL: http://[your-domain]/.well-known/pki-validation/fileauth.txt:

  • Don’t add www to it (http://www.your-domain]/.well-known/pki-validation/fileauth.txt)

  • Don’t capitalize a letter that isn’t capitalized in the original URL, such as "pki" (http://[your-domain]/.well-known/PKI-validation/fileauth.txt).

Don’t place the .txt file on a different domain or subdomain

To validate [your-domain], place the .txt file on the exact domain you want to validate, the one we generated the URL for. We don't look at a different domain or subdomain to find our random value. We look at the domain you want to validate.

For example, if you need [your-domain] validated, we generate a URL for this domain: http://[your-domain]/.well-known/pki-validation/fileauth.txt.

Don’t place the .txt file on [sub.your-domain] or modify the URL and place it on [your-other-domain]. We can’t find the .txt file on these domains. We’re looking for it on [your-domain], the domain from your certificate order, or the domain you submitted for prevalidation.

[your-domain] and www.[your-domain]

To validate www.[your-domain] and [your-domain], you must validate www.[your-domain] and [your-domain] separately.

As of November 16, 2021, you can use the file-based DCV method to demonstrate control over FQDNs, exactly as named.

Learn more about the changes to this domain validation policy

Free base domain SAN

Did you receive a free base domain SAN on your TLS certificate? Make sure you place the .txt file on the base domain. We need to validate the domain on the Transport Security Layer (TLS) certificate order.

Don’t include any additional content in the .txt file

When creating the .txt file, copy the random value provided by DigiCert and add it to the file. Don't add the word "token," or "value," or any other text.

Requirements for placing the .txt file on a page with multiple redirects

Redirect requirements when using HTTP Practical Demonstration per the TLS Baseline Requirements

Redirect must also be:

  • Initiated at the HTTP protocol layer

  • The result of a 301, 302, or 307 HTTP status code response

  • To resource URLs with either the "http" or "https" scheme

  • To resource URLs accessed via authorized ports

TLS Baseline Requirements

In this section: