HTTP-01 Challenge Configuration

TL;DR: HTTP-01 configuration requires creating /.well-known/acme-challenge/ directories with proper permissions and web server settings to serve challenge tokens, enabling automated certificate validation.

Overview

Successful HTTP-01 challenge validation depends on precise web server configuration and file placement patterns. This guide covers the directory structures, permission requirements, and platform-specific configurations needed for reliable certificate automation. Operations teams configure these elements to ensure certificate authorities can validate domain ownership during the ACME issuance process.

Production environments require different configuration approaches based on hosting platforms, web servers, and deployment architectures. Understanding proper file placement, directory structures, and server configurations enables teams to implement certificate automation that works consistently across diverse infrastructure. The configuration must balance security requirements with the accessibility needed for validation.

Platform-specific patterns address cPanel hosting, IIS installations, CDN integration, and enterprise deployment scenarios. Each configuration type has unique requirements for file permissions, directory locations, and server integration. Implementing these patterns correctly prevents common validation failures and maintains certificate renewal reliability.

Challenge File Structure and Placement

Standard Directory Structure

The HTTP-01 challenge follows a standardized directory structure that must be accessible via port 80. The challenge file location follows the pattern:

.well-known/acme-challenge/-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuA

This example demonstrates the HTTP-01 challenge file location and token structure, where the token serves as both the filename and identifier for validation.

File Content Format

HTTP-01 challenge files must contain specific content in text format. The challenge file content format consists of the token concatenated with the account key thumbprint, separated by a period. This creates the key authorization that Let's Encrypt validation servers expect to retrieve.

Manual File Placement

For manual HTTP-01 challenge file placement, create the .well-known/acme-challenge/ directory in your web root and place the challenge file with the exact token name. The manual HTTP-01 challenge file upload location must be publicly accessible without requiring authentication or special headers.

Platform-Specific Configurations

cPanel and Shared Hosting

For HTTP-01 challenge file placement on cPanel shared hosting environments, create the challenge directory structure within the public_html folder:

public_html/.well-known/acme-challenge/

The correct directory structure for HTTP-01 challenge on cPanel/GoDaddy hosting requires ensuring the .well-known directory has proper permissions (typically 755) and is accessible via HTTP.

IIS Configuration

For IIS website root path configuration, the HTTP-01 challenge file placement requires creating the challenge directory within the site's physical path. Configure IIS to serve static files from the .well-known/acme-challenge/ directory without additional processing.

IBM Domino Server

The challenge file location for IBM Domino server with LE4D client follows a specific file path structure within the Domino data directory. Ensure the HTTP server task can serve files from the designated challenge directory.

Note that Domino version 12+ has built-in CertMgr that auto-handles HTTP-01 challenges via CertStore.nsf. This can also place files into correct locations.

Enterprise Implementation Patterns

Exchange Server Integration

For ACMEExchange client deployment on Exchange 2019, configure access to port 80 allowed strictly to the .wellknown directory. This security-focused approach ensures challenge validation while maintaining server security posture.

# Exchange 2019 configuration example
New-WebVirtualDirectory -Site "Default Web Site" -Name ".well-known" -PhysicalPath "C:\inetpub\wwwroot\.well-known"

CDN Integration

HTTP-01 challenge file placement for CDN integration requires configuring origin pull behavior to serve challenge files directly from the origin server, bypassing CDN caching for the .well-known/acme-challenge/ path.

Automated Client Configurations

CertSage Configuration

For HTTP-01 challenge file placement using CertSage, the client handles automatic file creation and cleanup. The CertSage ACME client file extension requirement specifies that challenge files must not have file extensions and should be served with text/plain MIME type (the MIME type is not required by the standard).

C# Implementation

C# SSL certificate generation using Certes library provides programmatic HTTP-01 challenge handling. The library manages token generation, file placement, and validation response formatting automatically.

// Example Certes library implementation
var challenge = await order.Generate();
await challenge.Validate();

Validation and Testing

Accessibility Verification

Use accessibility testing to verify the .well-known directory is accessible and returns a 200 status code. The HTTP-01 challenge validation path must be reachable from Let's Encrypt validation servers without redirects or authentication.

# Test challenge file accessibility
curl -I http://yourdomain.com/.well-known/acme-challenge/test-file

Response Format Compliance

Ensure RFC 8555 compliant HTTP-01 challenge response format by serving challenge files with appropriate headers:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: [length]

[token].[key-authorization]

Server Configuration Requirements

Web Server Setup

Standard HTTP-01 challenge file serving configuration requires enabling static file serving for the challenge directory. Configure your web server to serve files from .well-known/acme-challenge/ without requiring authentication.

Stateless Implementation

Implement stateless HTTP-01 challenge response patterns to handle validation requests efficiently. This approach allows multiple server instances to handle validation requests without session dependencies.

Security Considerations

Access Control

Configure precise access control for HTTP-01 challenge file placement in web hosting environments. Limit write access to the challenge directory while ensuring read access for validation servers.

File Management

For manual HTTP-01 challenge file placement for Let's Encrypt validation, implement proper file cleanup procedures to remove challenge files after validation completion. This prevents accumulation of unused challenge files and reduces potential security exposure.

Troubleshooting Common Issues

File Naming Conventions

HTTP-01 challenge file content and naming convention requirements specify that filenames must exactly match the provided token without file extensions. Ensure case sensitivity is maintained across all platforms.

Directory Permissions

Verify that Let's Encrypt validation servers can access challenge files by testing HTTP requests to the challenge URL. Common issues include incorrect directory permissions, missing MIME type configurations, or firewall restrictions blocking port 80 access.

Domain-Specific Workarounds

For domains with limited DNS record support, HTTP-01 challenges provide an alternative validation method. Configure challenge file serving as a workaround when DNS-01 challenges are not feasible due to DNS provider limitations.

Related Documentation

• HTTP-01 Challenge Overview - Architectural patterns and validation flow
• HTTP-01 Challenge Commands - ACME client command reference
• HTTP-01 Challenge Troubleshooting - Error resolution and debugging
• HTTP-01 Challenge API Reference - ACME protocol endpoints
• Certificate Lifecycle Management - Certificate automation strategies
• DNS-01 Challenge Validation - Alternative DNS-based validation