HTTP-01 vs DNS-01: Picking the Right Let’s Encrypt Challenge
Choose the right validation method for issuance and renewal based on your hosting, DNS control, and certificate scope.
Tip
Inspect the current certificate, key, token, or endpoint output before changing deployment config; stale artifacts make fixes misleading.
Summary
Definition: HTTP-01 and DNS-01 are both ACME challenge types, but they fit different infrastructure and certificate goals.
Why it matters: Choosing the right challenge method affects whether issuance and renewal stay simple or become brittle.
Pitfall: Using the easier-looking challenge for the first issuance without thinking about renewals, wildcard needs, or DNS control.
Most Let’s Encrypt setup friction comes down to challenge selection. HTTP-01 is often straightforward for a public web server you control. DNS-01 is more flexible for wildcard certificates and some complex environments, but it depends on DNS access and automation.
Pick the challenge that will renew reliably, not just the one that gets the first certificate issued fastest.
How the challenge methods differ
- HTTP-01 proves control through web content served over HTTP for the requested domain.
- DNS-01 proves control by placing the required record in DNS and is required for wildcard certificates.
- Renewal reliability matters more than one-time setup speed.
| Factor | HTTP-01 | DNS-01 |
|---|---|---|
| Typical fit | Standard websites on reachable web servers | Wildcards, split environments, DNS-automated setups |
| Needs web server access | Yes | No |
| Needs DNS changes | No | Yes |
| Wildcard support | No | Yes |
Common wrong turns
- Choosing HTTP-01 for a wildcard certificate request.
- Picking DNS-01 without a realistic plan for DNS updates and renewal automation.
- Testing issuance once and never checking whether the same path still works months later.
Decision questions
Which challenge is easier for beginners?
Often HTTP-01 on a simple public website, because it avoids DNS automation.
Which one is better for long-term automation?
That depends on your environment, but DNS-01 is often more flexible when the web tier is not the right place for validation.
Do this locally (CLI)
Use these as conceptual starting points only after you decide which challenge method actually fits your environment.
# HTTP-01 style issuance (example shape)
certbot certonly --webroot -w /var/www/example -d example.com
# DNS-01 style issuance (example shape)
certbot certonly --manual --preferred-challenges dns -d '*.example.com' -d example.com
What to notice:
- Do not copy the DNS example directly into production without the right automation and provider-specific method.
- Wildcard certificates require DNS-01, even if HTTP-01 worked for a non-wildcard host.
Developer workflow
Use this guide as an operations checklist before changing certificates, tokens, DNS, or deployment settings.
- Inspect the current artifact or endpoint output before making changes.
- Change one variable at a time so a failed verification has a narrow cause.
- Keep the rollback value, expiry, and verification command in the same runbook entry.
1. current deployed artifact
2. single config or key change
3. verify endpoint/client behavior
4. record rollback and expiry details