Domainee
Sign inGet started

HTTP-01 challenge

HTTP-01 proves domain control by serving a file at a special URL on port 80. Simplest ACME challenge but breaks on firewalled or wildcard hostnames.

HTTP-01 is the simplest of ACME's three challenges. To prove you control example.com, your server has to respond to a GET request at:

http://example.com/.well-known/acme-challenge/<token>

with a specific response body (the token plus your ACME account key thumbprint, joined by a dot). The CA fetches this URL from multiple network vantage points and verifies the response.

How the challenge works

  1. Your client requests a cert for example.com.
  2. CA responds with a challenge token and the expected response body.
  3. Your client makes http://example.com/.well-known/acme-challenge/<token> return the expected body. This is usually done by your web server (Caddy, nginx with certbot module, Traefik) intercepting that URL.
  4. Your client tells the CA: "OK, validate now."
  5. CA fetches the URL from multiple resolvers and IPs, checks the response.
  6. If it matches: challenge succeeds, cert is issued.

Why HTTP-01 is the default for most clients

  • No DNS API integration needed. Most setups already have a web server on port 80.
  • Fast. No DNS propagation wait. Response is immediate after you start serving it.
  • Trivial to automate. Tools like Caddy do this on their own with zero config.

Why HTTP-01 doesn't work everywhere

Several conditions break it:

  1. No port 80 reachable. ACME spec mandates port 80 for HTTP-01 (you can't use port 8080 or anything else). If you have a firewall blocking port 80 or only port 443 open, HTTP-01 won't work.
  2. Wildcards. HTTP-01 can't issue *.example.com. The CA needs a specific hostname to fetch.
  3. Server doesn't exist yet. If you want a cert for a hostname before deploying the server, HTTP-01 can't validate (nothing's answering on port 80).
  4. CDN or load balancer in front. If you're behind Cloudflare or Akamai with their own TLS at the edge, you need to either pre-bake the challenge response into your origin or use the CDN's own ACME integration.

The HTTP-01 redirect rule

ACME allows a redirect at the challenge URL, but only to https:// or to other ports the spec considers valid. If port 80 redirects to port 443 (very common), the CA follows the redirect and validates the response over HTTPS.

What this means: even if your only port-80 listener does a permanent redirect to HTTPS, HTTP-01 still works.

In a custom-domain SaaS

Most platforms use HTTP-01 for customer-facing hostnames because port 80 reaches their edge directly. The flow:

  1. Customer points myapp.theirdomain.com CNAME to customer.yoursaas-edge.com.
  2. Your edge sees the new hostname.
  3. Your edge requests a cert from Let's Encrypt with HTTP-01.
  4. Let's Encrypt fetches http://myapp.theirdomain.com/.well-known/acme-challenge/... which hits your edge (because DNS is already pointing at you).
  5. Your edge responds with the expected token. Cert issues.

No DNS integration needed on the customer side. They set the CNAME once and the cert is automatic.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.