Domain Validation Challenges with Certbot

Published: 2024-06-19 | Updated: 2024-06-13
Posts Enable a Site in Nginx Docker Disk Maintenance One-Command PiHole Update Boilerplate Nginx Config File Certbot TLS with Nginx Domain Validation Challenges with Certbot List In-Use Docker Ports Hugo Static vs Assets Folders Hugo Docker Development Environment Golang Slugify Function Hugo Remove List Duplicates Loop Variable Captured by Func Literal Golang Friendly Date Converter Hugo Install on MacOS One-Liner to Update PiHole Page Folder Name Google Tags to Hugo Site Debounced Scroll-To-Top Button Hugo Custom 404 Page Reboot or Power Down Ubuntu System Apache Cheatsheet Ubuntu Apache Global Servername Customize Hugo Page Type Hugo Most Recent Posts Hugo Most Recently Updated Posts Digital Certificates with Certbot Site Content Best Practices Ubuntu Certbot Install Sample Apache vhost.conf

First of all, Certbot requires that DNS for your domain resolves to the IP address of the server where Certbot is being run before a certificate can be issued. This is because the certificate issuance process involves domain validation, where the Certificate Authority (CA) must verify that you control the domain.

So once you have your site in place and successfully serving unsecured content via http (as opposed to https), you’re ready to get your TLS certificate installed. But before Certbot will install a certificate it must validate that the domain resides on the server making the request. These are the processes by which it accomplishes that task.

  1. HTTP-01 Challenge:

    • The CA makes an HTTP request to a specific URL (e.g., http://yourdomain.com/.well-known/acme-challenge/) to verify control over the domain.
    • The domain must resolve to the IP address of the server running Certbot because the server must serve a specific validation file over HTTP through Nginx.

  2. DNS-01 Challenge:

    • The CA checks for a specific DNS record to confirm domain ownership.
    • This method does not require the domain to resolve to the server running Certbot, but it does require you to be able to add a specific DNS TXT record.

  3. TLS-ALPN-01 Challenge:

    • The CA makes a TLS connection to the domain and expects a specific certificate during the TLS handshake.
    • The domain must resolve to the IP address of the server running Certbot, which must serve a special TLS certificate for validation through Nginx.
certbot DNS domain validation tls