When you need to get a certificate from a service like Let’s Encrypt, you must validate ownership of the domains for which you are issuing a certificate. This is achieved using challenges. But what types of challenges are available?
1. HTTP-01 Challenge
The most common and widely used type is the HTTP-01 challenge. With this method, you receive a token that must be placed in your web server at the following path:
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
Key Details:
- The HTTP-01 challenge can only be performed on port 80. Allowing arbitrary ports would reduce security and is therefore prohibited by the ACME standard.
Pros:
- Easy to automate without requiring extra knowledge about a domain’s configuration.
- Allows hosting providers to issue certificates for domains CNAMEd to them.
- Compatible with standard web servers.
- Can validate IP addresses.
Cons:
- Cannot be used to issue wildcard certificates.
- Fails if your ISP blocks port 80.
- Requires ensuring the token file is available across all web servers in a distributed setup.
2. DNS-01 Challenge
This challenge requires proving control over the domain’s DNS configuration by creating a TXT record like this:
_acme-challenge.<YOUR_DOMAIN> TXT TOKEN
You can also use CNAME or NS records to delegate the validation process to another DNS zone, a method known as DCV delegation.
Pros:
- Supports wildcard certificates.
- Effective for domains with multiple web servers.
- Works for domain names with web servers that aren’t exposed to the public internet.
Cons:
- Some DNS providers lack API support for automation.
- DNS propagation time.
- Cannot validate IP addresses.
3. Other Challenges
There are additional challenges like TLS-ALPN-01 and TLS-SNI-01, but these are either deprecated or not widely supported and are therefore not covered in detail here.
4. DCV Delegation (Domain Control Validation Delegation)
DCV delegation enables a third party to handle domain control validation on behalf of the domain owner. This is especially helpful in large organizations, multi-tenant platforms, or managed service environments.
How DCV Delegation Works
- Authorization for Delegation: The domain owner explicitly delegates validation to a third party, typically by adding specific DNS records (e.g., CNAME or TXT) that redirect the validation process.
- Third-Party Validation: The delegated party performs DCV using methods like DNS-01 or HTTP-01 challenges.
- Certificate Issuance: After successful validation, the Certificate Authority issues the certificate.
Common Use Cases for DCV Delegation
- Multi-Tenant Platforms: For SaaS platforms with custom domains, customers delegate validation to the platform provider, simplifying certificate management.
- CDN or Reverse Proxy Services: CDNs and reverse proxies manage SSL/TLS certificates for customer domains through delegation.
- Enterprise Automation: Centralized teams or vendors handle certificates for multiple domains in complex environments.
Benefits of DCV Delegation
- Simplifies certificate management for domain owners.
- Automates DCV for timely certificate issuance and renewal.
- Scales to handle thousands of domains efficiently.
- Enhances customer experience in white-label scenarios.
Trade-offs and Considerations
- Trust: The domain owner must trust the delegated party.
- Dependency: Disruptions in the delegated party’s infrastructure could impact certificate issuance.
- Configuration: Clear setup instructions are necessary for proper delegation.
Example Scenario: SaaS Platform with Custom Domains
A SaaS platform (e.g., platform.com
) supports custom domains for its customers (e.g., customer.example.com
). To simplify the process, the platform instructs customers to add a CNAME record:
_acme-challenge.example.com. IN CNAME _acme-challenge.platform.com.
The platform then handles validation and automates certificate issuance and renewal for customer.example.com
.
By understanding these validation methods and the use of delegation, you can streamline certificate issuance and management for a wide range of scenarios. Choose the challenge that best fits your environment, and leverage delegation for even greater automation and efficiency.