Domain Validation Challenges with Certbot
Published: 2024-06-19 | Updated: 2024-06-13First of all, Certbot requires that DNS for your domain resolves to the IP address of the server where Certbot is being run before a certificate can be issued. This is because the certificate issuance process involves domain validation, where the Certificate Authority (CA) must verify that you control the domain.
So once you have your site in place and successfully serving unsecured content via http (as opposed to https), you’re ready to get your TLS certificate installed. But before Certbot will install a certificate it must validate that the domain resides on the server making the request. These are the processes by which it accomplishes that task.
-
HTTP-01 Challenge:
- The CA makes an HTTP request to a specific URL (e.g.,
http://yourdomain.com/.well-known/acme-challenge/
) to verify control over the domain. - The domain must resolve to the IP address of the server running Certbot because the server must serve a specific validation file over HTTP through Nginx.
- The CA makes an HTTP request to a specific URL (e.g.,
-
DNS-01 Challenge:
- The CA checks for a specific DNS record to confirm domain ownership.
- This method does not require the domain to resolve to the server running Certbot, but it does require you to be able to add a specific DNS TXT record.
-
TLS-ALPN-01 Challenge:
- The CA makes a TLS connection to the domain and expects a specific certificate during the TLS handshake.
- The domain must resolve to the IP address of the server running Certbot, which must serve a special TLS certificate for validation through Nginx.