Skip to main content

HTTP-01 challenge

The HTTP-01 challenge is the most widely used ACME challenge type. It is the easiest to automate because the ACME client does the work automatically. The ACME client places a file containing a DigiCert-generated random value at a predetermined location on your web server. If you set up your environment correctly, the ACME client completes domain validation for you.

You can use the HTTP-01 challenge to validate a domain that has a CNAME record pointing to another domain. For example, yourdomain.com pointing to yourdomain.net.

When validating a domain using the HTTP-01 challenge, include --preferred-challenges http in your certbot command. For a complete Certbot example, see Issue and install a certificate for Apache using HTTP-01 domain validation.

Requirements

  • Port 80 must be open and publicly accessible on the web server. The ACME client adds lines to the virtual host configuration for port 80. If your firewall restricts access to port 80, including blocks based on geographic location, you must unblock it before proceeding.

  • The ACME client must have permission to place files in the /.well-known/acme-challenge/ directory on the web server.

Notice

Depending on your firewall configuration, you may need to allowlist specific DigiCert IP addresses for the HTTP-01 challenge validation process to succeed. Learn more about the IP addresses DigiCert uses for the HTTP Practical Demonstration check.

Limitations

You cannot use the HTTP-01 challenge to:

  • Validate wildcard domains such as *.example.com. Use the DNS-01 challenge instead.

  • Validate IPv4 and IPv6 addresses.

    • For OV and EV certificates that include an IP address: prevalidate the IP address using HTTP Practical Demonstration before using ACME, or use the manual certificate request and installation process.

    • For DV certificates that include an IP address: use the manual certificate request and installation process. HTTP Practical Demonstration is available in the manual workflow.

  • Validate subdomains while validating a higher-level domain. For example, validating example.com does not cover www.example.com or mail.example.com. Use a DNS-based DCV method instead.

  • Validate entire domains and subdomains simultaneously.

Common configuration issues

  • Port 80 is blocked by a firewall or geographic filtering rule. Unblock port 80 or add DigiCert IP addresses to your allowlist. See IP addresses DigiCert uses for the HTTP Practical Demonstration check.

  • The ACME client does not create the validation file in the correct directory. Confirm the client has write permission to /.well-known/acme-challenge/.

  • Redirect rules prevent DigiCert from retrieving the file. DNS resolves to a different server than expected. Confirm the domain resolves to the server where the ACME client is running.

Related topics

What's next

DNS-01 challenge for environments where web server access is restricted or wildcard domain validation is required

本节内容如下: