Which ACME Challenge Type Should I Use? HTTP-01 or DNS-01?

Not sure if you should use the HTTP-01 or DNS-01 ACME challenge? This FAQ outlines the advantages and disadvantages of both DV methods.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

When you use the ACME protocol to order certificates from SSL.com, we validate your control of the domain name(s) in your certificate request with a “challenge” that will require you to either make a verifiable change to your website or DNS records. This FAQ covers the advantages and disadvantages associated with the challenge types supported by SSL.com: HTTP-01 and DNS-01.

HTTP-01 Challenge

The HTTP-01 challenge requires you or your ACME client to create a file containing a random token and fingerprint of your account key on your web server, proving control over the website to the CA. The challenge specifies both the contents of the file, and the URL where it should be created (which will always be prefixed with .well-known/acme-challenge/, followed by the token value). An example manual HTTP-01 challenge for example.com is shown below:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

cr1rsRTImVz_s7HHk7biTQ.9mOlJPgZ8D97HojOHnhD6hYeZZOPDUDNMxchFUNJQvI

And make it available on your web server at this URL:

http://example.com/.well-known/acme-challenge/cr1rsRTImVz_s7HHk7biTQ

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Advantages and Disadvantages of HTTP-01

HTTP-01 is the most commonly used ACME challenge type, and SSL.com recommends it for most users. Its primary advantages are ease of automation for popular web server platforms like Apache and Nginx, and the lack of any need to configure DNS records and wait for them to propagate. However, there are a few limitations you should know about before using HTTP-01:

  • The HTTP-01 challenge only works over port 80, so it cannot be used if this port is blocked on your web server.
  • If there are multiple servers for a domain name, the HTTP-01 challenge file must be placed on all of them.

DNS-01 Challenge

The DNS-01 challenge requires you to create a DNS TXT record for your domain, including a random token and fingerprint of your account key, at _acme-challenge.<YOUR_DOMAIN>. SSL.com’s ACME server will query DNS for that record, and will issue the certificate if it finds a match. This is an example manual DNS-01 challenge for example.com:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

-87YKoj3sQZB4rVCMZTiifl9QJKYm2eYYymAkpE0zBo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Advantages and Disadvantages of DNS-01

The DNS-01 challenge is more difficult to automate than HTTP-01, requiring that your DNS provider supply an API for managing your DNS records. In this case, you will also need to deal with the potential security threat of keeping DNS API credentials on your web server. With the DNS-01 challenge, you will also need to need to check for propagation of your record or configure a delay into your ACME client after creating the record. However, there are several circumstances where you might choose DNS-01 over HTTP-01:

  • If your domain has more that one web server, you will not have to manage challenge files on multiple servers.
  • DNS-01 can be used even if port 80 is blocked on your web server.

Note that for some certificate requests (such as for a wildcard entry along with the base domain name), you may need to create multiple TXT records with the same name. This is okay to do, but you should clean up old TXT records from previous challenges so that the DNS response size doesn’t grow too large for the server to accept.

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.