HTTP-01 Challenge Setup: Nginx, Apache & Load Balancer Configuration
Configure HTTP-01 challenge validation for ACME. Web server setup for Nginx, Apache, IIS, and handling challenges behind reverse proxies and CDNs. Here you’ll find directory layout, permissions, and platform-specific steps so the CA can reach your validation endpoint.
HTTP-01 Challenge Configuration
Section titled “HTTP-01 Challenge Configuration”TL;DR: HTTP-01 configuration requires creating /.well-known/acme-challenge/ directories with proper permissions and web server settings to serve challenge tokens, enabling automated certificate validation.
Need help with ACME? Ask Axel Axelspire AI bot with own augmented memory for all ACME/certbot.
Overview
Section titled “Overview”Successful HTTP-01 challenge validation depends on precise web server configuration and file placement patterns. This guide covers the directory structures, permission requirements, and platform-specific configurations needed for reliable certificate automation. Operations teams configure these elements to ensure certificate authorities can validate domain ownership during the ACME issuance process.
Production environments require different configuration approaches based on hosting platforms, web servers, and deployment architectures. Understanding proper file placement, directory structures, and server configurations enables teams to implement certificate automation that works consistently across diverse infrastructure. The configuration must balance security requirements with the accessibility needed for validation.
Platform-specific patterns address cPanel hosting, IIS installations, CDN integration, and enterprise deployment scenarios. Each configuration type has unique requirements for file permissions, directory locations, and server integration. Implementing these patterns correctly prevents common validation failures and maintains certificate renewal reliability.
Challenge File Structure and Placement
Section titled “Challenge File Structure and Placement”Standard Directory Structure
Section titled “Standard Directory Structure”The HTTP-01 challenge follows a standardized directory structure that must be accessible via port 80. The challenge file location follows the pattern:
.well-known/acme-challenge/-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuAThis example demonstrates the HTTP-01 challenge file location and token structure, where the token serves as both the filename and identifier for validation.
File Content Format
Section titled “File Content Format”HTTP-01 challenge files must contain specific content in text format. The challenge file content format consists of the token concatenated with the account key thumbprint, separated by a period. This creates the key authorization that Let’s Encrypt validation servers expect to retrieve.
Manual File Placement
Section titled “Manual File Placement”For manual HTTP-01 challenge file placement, create the .well-known/acme-challenge/ directory in your web root and place the challenge file with the exact token name. The manual HTTP-01 challenge file upload location must be publicly accessible without requiring authentication or special headers.
Platform-Specific Configurations
Section titled “Platform-Specific Configurations”cPanel and Shared Hosting
Section titled “cPanel and Shared Hosting”For HTTP-01 challenge file placement on cPanel shared hosting environments, create the challenge directory structure within the public_html folder:
public_html/.well-known/acme-challenge/The correct directory structure for HTTP-01 challenge on cPanel/GoDaddy hosting requires ensuring the .well-known directory has proper permissions (typically 755) and is accessible via HTTP.
IIS Configuration
Section titled “IIS Configuration”For IIS website root path configuration, the HTTP-01 challenge file placement requires creating the challenge directory within the site’s physical path. Configure IIS to serve static files from the .well-known/acme-challenge/ directory without additional processing.
IBM Domino Server
Section titled “IBM Domino Server”The challenge file location for IBM Domino server with LE4D client follows a specific file path structure within the Domino data directory. Ensure the HTTP server task can serve files from the designated challenge directory.
Note that Domino version 12+ has built-in CertMgr that auto-handles HTTP-01 challenges via CertStore.nsf. This can also place files into correct locations.
Enterprise Implementation Patterns
Section titled “Enterprise Implementation Patterns”Exchange Server Integration
Section titled “Exchange Server Integration”For ACMEExchange client deployment on Exchange 2019, configure access to port 80 allowed strictly to the .wellknown directory. This security-focused approach ensures challenge validation while maintaining server security posture.
# Exchange 2019 configuration exampleNew-WebVirtualDirectory -Site "Default Web Site" -Name ".well-known" -PhysicalPath "C:\inetpub\wwwroot\.well-known"CDN Integration
Section titled “CDN Integration”HTTP-01 challenge file placement for CDN integration requires configuring origin pull behavior to serve challenge files directly from the origin server, bypassing CDN caching for the .well-known/acme-challenge/ path.
Automated Client Configurations
Section titled “Automated Client Configurations”CertSage Configuration
Section titled “CertSage Configuration”For HTTP-01 challenge file placement using CertSage, the client handles automatic file creation and cleanup. The CertSage ACME client file extension requirement specifies that challenge files must not have file extensions and should be served with text/plain MIME type (the MIME type is not required by the standard).
C# Implementation
Section titled “C# Implementation”C# SSL certificate generation using Certes library provides programmatic HTTP-01 challenge handling. The library manages token generation, file placement, and validation response formatting automatically.
// Example Certes library implementationvar challenge = await order.Generate();await challenge.Validate();Validation and Testing
Section titled “Validation and Testing”Accessibility Verification
Section titled “Accessibility Verification”Use accessibility testing to verify the .well-known directory is accessible and returns a 200 status code. The HTTP-01 challenge validation path must be reachable from Let’s Encrypt validation servers without redirects or authentication.
# Test challenge file accessibilitycurl -I http://yourdomain.com/.well-known/acme-challenge/test-fileResponse Format Compliance
Section titled “Response Format Compliance”Ensure RFC 8555 compliant HTTP-01 challenge response format by serving challenge files with appropriate headers:
HTTP/1.1 200 OKContent-Type: text/plainContent-Length: [length]
[token].[key-authorization]Server Configuration Requirements
Section titled “Server Configuration Requirements”Web Server Setup
Section titled “Web Server Setup”Standard HTTP-01 challenge file serving configuration requires enabling static file serving for the challenge directory. Configure your web server to serve files from .well-known/acme-challenge/ without requiring authentication.
Stateless Implementation
Section titled “Stateless Implementation”Implement stateless HTTP-01 challenge response patterns to handle validation requests efficiently. This approach allows multiple server instances to handle validation requests without session dependencies.
Security Considerations
Section titled “Security Considerations”Access Control
Section titled “Access Control”Configure precise access control for HTTP-01 challenge file placement in web hosting environments. Limit write access to the challenge directory while ensuring read access for validation servers.
File Management
Section titled “File Management”For manual HTTP-01 challenge file placement for Let’s Encrypt validation, implement proper file cleanup procedures to remove challenge files after validation completion. This prevents accumulation of unused challenge files and reduces potential security exposure.
Troubleshooting Common Issues
Section titled “Troubleshooting Common Issues”File Naming Conventions
Section titled “File Naming Conventions”HTTP-01 challenge file content and naming convention requirements specify that filenames must exactly match the provided token without file extensions. Ensure case sensitivity is maintained across all platforms.
Directory Permissions
Section titled “Directory Permissions”Verify that Let’s Encrypt validation servers can access challenge files by testing HTTP requests to the challenge URL. Common issues include incorrect directory permissions, missing MIME type configurations, or firewall restrictions blocking port 80 access.
Domain-Specific Workarounds
Section titled “Domain-Specific Workarounds”For domains with limited DNS record support, HTTP-01 challenges provide an alternative validation method. Configure challenge file serving as a workaround when DNS-01 challenges are not feasible due to DNS provider limitations.
Related Documentation
Section titled “Related Documentation”- HTTP-01 Challenge Overview - Architectural patterns and validation flow
- HTTP-01 Challenge Commands - ACME client command reference
- HTTP-01 Challenge Troubleshooting - Error resolution and debugging
- HTTP-01 Challenge API Reference - ACME protocol endpoints
- Certificate Lifecycle Management - Certificate automation strategies
- DNS-01 Challenge Validation - Alternative DNS-based validation