HTTP-01 is the most common ACME challenge type for getting an SSL certificate. The CA verifies you control a domain by fetching a specific file from your web server over HTTP port 80. It’s simpler than DNS-01 but can’t be used for wildcard certificates.
How it works
- Let’s Encrypt gives you a token (a random string)
- You create a file at
http://yourdomain.com/.well-known/acme-challenge/{token} - The file content is the key authorization — the token combined with your ACME account key thumbprint
- Let’s Encrypt fetches this URL from the public internet
- If the content matches, the challenge passes and your certificate is issued
With GetHTTPS, steps 1 and 3 are handled automatically — you just need to place the file on your server with the values shown on screen.
How to place the challenge file
Via SSH (Linux/Nginx/Apache)
# Create the directory
mkdir -p /var/www/html/.well-known/acme-challenge/
# Create the file with the exact values from GetHTTPS
echo "KEY_AUTHORIZATION_FROM_GETHTTPS" > /var/www/html/.well-known/acme-challenge/TOKEN_FROM_GETHTTPS
# Verify it's accessible
curl http://yourdomain.com/.well-known/acme-challenge/TOKEN_FROM_GETHTTPSVia cPanel File Manager
- Navigate to
public_html - Create folder
.well-known→ inside it, create folderacme-challenge - Create a new file named with the token value
- Paste the key authorization as the file content
- Ensure permissions are 644 (readable by the web server)
Via FTP
- Connect to your site root
- Create
.well-known/acme-challenge/directory path - Upload a text file named with the token, containing the key authorization
Server configuration
Some web servers need configuration to serve files from .well-known:
Nginx
# Add to your server block if .well-known returns 404
location /.well-known/acme-challenge/ {
root /var/www/html;
allow all;
}Apache
Apache usually serves .well-known by default. If not:
Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
<Directory "/var/www/html/.well-known/acme-challenge/">
AllowOverride None
Options None
Require all granted
</Directory>Node.js / Express
app.use('/.well-known/acme-challenge', express.static('challenges'));Requirements
- The domain must resolve to a public IP address your server is on
- Port 80 must be open — Let’s Encrypt always validates over HTTP, not HTTPS
- The response must return HTTP 200 OK
- No cross-domain redirects — same-domain HTTP→HTTPS redirects are OK
- The file must be accessible without authentication (no Basic Auth, no login wall)
When to use HTTP-01
| Scenario | HTTP-01? |
|---|---|
| Single domain certificate | ✅ Yes — simplest option |
| Domain + www certificate | ✅ Yes — one challenge per name |
Wildcard certificate (*.example.com) | ❌ No — use DNS-01 |
| Port 80 is blocked | ❌ No — use DNS-01 |
| Behind Cloudflare proxy | ⚠️ May need to gray-cloud DNS first |
| No server access at all | ❌ No — use DNS-01 (only needs DNS access) |
HTTP-01 vs DNS-01
| HTTP-01 | DNS-01 | |
|---|---|---|
| What you do | Place a file on your server | Add a TXT record in DNS |
| Access needed | Web server file system | Domain DNS settings |
| Port requirement | Port 80 open | None |
| Wildcard support | ❌ | ✅ |
| Speed | Instant (if file is accessible) | 1-15 min (DNS propagation) |
| Works behind CDN | ⚠️ May need CDN bypass | ✅ Always works |
| Best for | Most single-domain certs | Wildcards, no-server-access, CDN setups |
Troubleshooting
Challenge file returns 404
- Check the exact path — must be
/.well-known/acme-challenge/TOKENwith no extra slashes - Check file permissions — chmod 644
- Nginx: Your config may block dotfiles. Add the
locationblock shown above - cPanel: File manager may hide
.well-known— enable “Show Hidden Files”
Challenge fails despite file being accessible
- Check from outside your network:
curl http://yourdomain.com/.well-known/acme-challenge/TOKENfrom a different machine or use a web-based tool - DNS may point to a different server — verify
dig +short yourdomain.comreturns your server’s IP - Cloudflare proxy: Temporarily switch to DNS-only (gray cloud) during validation
Port 80 is blocked
Some hosts or firewalls block port 80. Options:
- Open port 80 (even just temporarily for validation)
- Switch to DNS-01 challenge — doesn’t need port 80
- Ask your hosting provider to allow
.well-knownthrough their proxy
”too many requests” error
You’ve hit Let’s Encrypt’s rate limits. Wait and retry. GetHTTPS’s pre-check helps avoid wasted attempts by verifying the file is accessible before submitting.
Frequently asked questions
Can I delete the challenge file after getting the certificate?
Yes. The file is only needed during validation. Once your certificate is issued, delete the .well-known/acme-challenge/ directory and its contents. You’ll create new files when you renew.
Does the file need to be served over HTTPS?
No. Let’s Encrypt always validates HTTP-01 over plain HTTP (port 80), even if your site supports HTTPS. Same-domain HTTP→HTTPS redirects are followed, but the initial request is always HTTP.
Can I use HTTP-01 for multiple domains in one certificate?
Yes. Each domain in the certificate needs its own challenge file. If you’re getting a cert for example.com and www.example.com, you place two files — one token per domain. GetHTTPS handles them sequentially.
What’s the “pre-check” in GetHTTPS?
Before submitting to Let’s Encrypt, GetHTTPS verifies your challenge file is accessible from the public internet (via Google’s DNS-over-HTTPS). This catches configuration errors before they burn a rate limit attempt — a feature other browser-based tools don’t have.