Issue and install a certificate for Apache using HTTP-01
Use the HTTP-01 challenge to validate domains and install a certificate on your Apache web server. This method applies to DV certificates and OV/EV certificates with domains that are not prevalidated in CertCentral.
For OV/EV certificates with prevalidated domains, CertCentral performs domain control validation out-of-band. No challenge options are required. See Configure Certbot for CertCentral.
Notice
These instructions apply to ACME credentials created on or after January 30, 2024. For credentials created before this date, see Use legacy CertCentral ACME credentials.
Before you begin
Verify that port 80 is open on your Apache web server before running the command. If your firewall restricts access to port 80, including blocks based on geographic location, you must unblock it to allow traffic.
If your firewall restricts access by IP address, add the DigiCert IP addresses for HTTP Practical Demonstration validation to your allowlist. See IP addresses DigiCert uses for HTTP Practical Demonstration.
Notice
The HTTP-01 challenge does not support the following:
Wildcard domains such as
*.example.com, use DNS-01 insteadIP address validation: Prevalidate IP addresses in CertCentral before using ACME, or use the manual request and installation process
Validating subdomains while validating a higher-level domain simultaneously
For a full overview of HTTP-01 and DNS-01 challenge requirements, see ACME challenges.
Install a certificate using HTTP-01 for Apache web server
Open a terminal session on your Apache web server.
Copy the following command and enter it at the terminal prompt:
sudo certbot --apache \ --register-unsafely-without-email \ --eab-kid {MY-KEY-IDENTIFIER} \ --eab-hmac-key {MY-HMAC-KEY} \ --server {MY-ACME-URL} \ --config-dir {MY-CONFIG-DIR} \ -d {FQDN} \ --manual --preferred-challenges httpReplace the placeholders with the following values:
Placeholder
Replace with
{MY-KEY-IDENTIFIER}The EAB key identifier (KID) from your CertCentral ACME credentials
{MY-HMAC-KEY}The EAB HMAC key from your CertCentral ACME credentials
{MY-ACME-URL}The ACME directory URL from your CertCentral ACME credentials
{MY-CONFIG-DIR}The path to your Certbot configuration files. If omitted, Certbot defaults to
/etc/letsencrypt{FQDN}The fully qualified domain name to secure. Add an additional
-doption for each FQDN. The first FQDN specified is used as the common name (CN)When Certbot presents the authentication method menu, enter 1 to use the Apache Web Server plugin:
How would you like to authenticate with the ACME CA? 1: Apache Web Server plugin (apache) 2: Obtain certificates using a DNS TXT record (dns-route53) 3: Spin up a temporary webserver (standalone) 4: Place files in webroot directory (webroot) Select the appropriate number [1-4] then [enter] (press 'c' to cancel):
Certbot updates the Apache virtual host configuration for port 80 with the following settings:
Alias /.well-known/acme-challenge/ "/var/www/acme/acme-challenge/" RewriteRule "^/.well-known/acme-challenge/" - [L] <Directory "/var/www/acme/acme-challenge/"> Options Indexes MultiViews AllowOverride None Order allow,deny </Directory>CertCentral validates the domains and issues the certificate. Certbot installs the certificate on your Apache server.
What's next
Issue and install a certificate for NGINX using DNS-01 to use the DNS-01 challenge to validate domains and install a certificate on your NGINX server