When you need to get a certificate from a service like Let’s Encrypt, you must validate ownership of the domains for which you are issuing a certificate. This is achieved using challenges. But what types of challenges are available?

1. HTTP-01 Challenge

The most common and widely used type is the HTTP-01 challenge. With this method, you receive a token that must be placed in your web server at the following path:

http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>

Key Details:

  • The HTTP-01 challenge can only be performed on port 80. Allowing arbitrary ports would reduce security and is therefore prohibited by the ACME standard.

Pros:

  • Easy to automate without requiring extra knowledge about a domain’s configuration.
  • Allows hosting providers to issue certificates for domains CNAMEd to them.
  • Compatible with standard web servers.
  • Can validate IP addresses.

Cons:

  • Cannot be used to issue wildcard certificates.
  • Fails if your ISP blocks port 80.
  • Requires ensuring the token file is available across all web servers in a distributed setup.

2. DNS-01 Challenge

This challenge requires proving control over the domain’s DNS configuration by creating a TXT record like this:

_acme-challenge.<YOUR_DOMAIN> TXT TOKEN

You can also use CNAME or NS records to delegate the validation process to another DNS zone, a method known as DCV delegation.

Pros:

  • Supports wildcard certificates.
  • Effective for domains with multiple web servers.
  • Works for domain names with web servers that aren’t exposed to the public internet.

Cons:

  • Some DNS providers lack API support for automation.
  • DNS propagation time.
  • Cannot validate IP addresses.

3. Other Challenges

There are additional challenges like TLS-ALPN-01 and TLS-SNI-01, but these are either deprecated or not widely supported and are therefore not covered in detail here.

4. DCV Delegation (Domain Control Validation Delegation)

DCV delegation enables a third party to handle domain control validation on behalf of the domain owner. This is especially helpful in large organizations, multi-tenant platforms, or managed service environments.

How DCV Delegation Works

  1. Authorization for Delegation: The domain owner explicitly delegates validation to a third party, typically by adding specific DNS records (e.g., CNAME or TXT) that redirect the validation process.
  2. Third-Party Validation: The delegated party performs DCV using methods like DNS-01 or HTTP-01 challenges.
  3. Certificate Issuance: After successful validation, the Certificate Authority issues the certificate.

Common Use Cases for DCV Delegation

  • Multi-Tenant Platforms: For SaaS platforms with custom domains, customers delegate validation to the platform provider, simplifying certificate management.
  • CDN or Reverse Proxy Services: CDNs and reverse proxies manage SSL/TLS certificates for customer domains through delegation.
  • Enterprise Automation: Centralized teams or vendors handle certificates for multiple domains in complex environments.

Benefits of DCV Delegation

  • Simplifies certificate management for domain owners.
  • Automates DCV for timely certificate issuance and renewal.
  • Scales to handle thousands of domains efficiently.
  • Enhances customer experience in white-label scenarios.

Trade-offs and Considerations

  • Trust: The domain owner must trust the delegated party.
  • Dependency: Disruptions in the delegated party’s infrastructure could impact certificate issuance.
  • Configuration: Clear setup instructions are necessary for proper delegation.

Example Scenario: SaaS Platform with Custom Domains

A SaaS platform (e.g., platform.com) supports custom domains for its customers (e.g., customer.example.com). To simplify the process, the platform instructs customers to add a CNAME record:

_acme-challenge.example.com. IN CNAME _acme-challenge.platform.com.

The platform then handles validation and automates certificate issuance and renewal for customer.example.com.


By understanding these validation methods and the use of delegation, you can streamline certificate issuance and management for a wide range of scenarios. Choose the challenge that best fits your environment, and leverage delegation for even greater automation and efficiency.