A gentle introduction to ACME & HTTP-01
How Let's Encrypt verifies domain control — no vendor agent required.
ACME (Automatic Certificate Management Environment) is the standard protocol that certificate authorities like Let's Encrypt rely on to confirm you own a domain name before issuing a certificate. Unlike traditional SSL purchase flows that required email validation or DNS record copy-pasting, ACME automates the entire process. This is why free CAs like Let's Encrypt, ZeroSSL, and Buypass can issue and renew millions of certificates daily.
With the HTTP-01 challenge type, you place a temporary, one-time token at a predictable URL on port 80. The CA fetches that token, validates it, and returns a signed certificate you can then install on your main HTTPS listener. Because HTTP-01 uses standard web requests, it works on almost any hosting environment — shared hosting, VPS, dedicated servers, and even some container platforms — as long as port 80 is reachable.
Why HTTP-01 instead of DNS-01?
DNS-01 requires you to add a TXT record to your domain's DNS zone. That's more flexible (works for wildcard certificates) but slower and harder to automate on DNS providers without APIs. HTTP-01 is faster, simpler, and works immediately if your web server is already answering on port 80.
What the CA actually does:
Let's Encrypt constructs the well-known URL like this:
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
It then expects the response body to contain a specific thumbprint of your account key combined with the token. If the contents match, you're authorized. The whole check takes under two seconds.
ManageMyCert asks for your webroot — the folder your web server serves for http://your-domain/.well-known/acme-challenge/. When it's time to renew, we write the challenge file there over SSH, complete the ACME handshake, and place the renewed certificate exactly where you specified. You never need to install a Let's Encrypt agent, Certbot, or any vendor-specific tool on your server. Only SSH access and a webroot path are required.
Typical webroot locations by server type:
- Apache (Debian/Ubuntu): /var/www/html or /var/www/yourdomain/public
- Nginx: /usr/share/nginx/html or /var/www/yourdomain
- OpenLiteSpeed: /usr/local/lsws/Example/html
- CWP / VestaCP: /home/username/public_html
- Plesk: /var/www/vhosts/yourdomain/httpdocs
If you're unsure, create a test file like test.html and visit http://yourdomain/test.html — the folder containing that file is your webroot.
Multi-server setups follow the same pattern: the HTTP-01 challenge runs against the first SSH target (or your primary SSH credentials), then we distribute the issued certificate to every additional server you've configured. This is ideal for load-balanced environments, blue-green deployments, or when your SSL terminator sits on a different machine than your application server.
What happens during renewal (step by step):
1. ManageMyCert connects via SSH to your primary server.
2. It writes a random challenge file inside .well-known/acme-challenge/ under your webroot.
3. It tells Let's Encrypt: "Check this domain now".
4. Let's Encrypt performs the HTTP-01 fetch over public internet.
5. On success, the CA issues a new certificate (same private key or renewed — your choice).
6. ManageMyCert downloads the fresh certificate and private key.
7. It then uploads and replaces the certificate on every server you listed (web servers, load balancers, reverse proxies).
8. Optionally, it reloads or restarts the web service automatically.
The entire renewal normally finishes in under 10 seconds.
HTTP-01 limitations you should know:
- Does NOT work for wildcard certificates (*.example.com). Use DNS-01 for wildcards.
- Requires port 80 to be publicly accessible from the internet. Firewalls, cloud security groups, or office VPNs can block this.
- Your web server must serve the .well-known/ path without redirection to HTTPS (temporary redirects are allowed, but permanent redirects may confuse some CAs).
- Works only for the exact domain names you specify (no automatic subdomain discovery).
Troubleshooting common HTTP-01 failures:
❌ "Connection refused" → Port 80 is closed or nothing is listening.
❌ "404 Not Found" → Wrong webroot path or missing .well-known/ directory.
❌ "Timeout" → Slow server, heavy firewall inspection, or geographic latency.
❌ "Invalid token" → File contents don't match expected thumbprint (usually a permissions or race condition).
✅ Fix: Manually SSH into your server, create .well-known/acme-challenge/test.txt, and try fetching http://yourdomain/.well-known/acme-challenge/test.txt in your browser. If that works, ManageMyCert will work too.
Security notes (important):
- ManageMyCert never stores your private keys on its own servers unless you explicitly opt in.
- Challenge files are random per issuance and expire within minutes.
- SSH credentials are encrypted before storage using per-user keys.
- You can restrict ManageMyCert's SSH user to write only into .well-known/acme-challenge/ and certificate target directories using rrsync or limited shell scripts.
- For high-security environments, rotate SSH keys periodically.
Comparison: HTTP-01 vs DNS-01 vs TLS-ALPN-01
HTTP-01 → No DNS changes, fast, no wildcards, port 80 required.
DNS-01 → Works with wildcards, slower, needs DNS API, no open port required.
TLS-ALPN-01 → No port 80 needed, requires port 443, more complex, rare.
For 95% of non-wildcard use cases, HTTP-01 is the right choice.
Frequently asked questions (short answers):
Q: Can I use HTTP-01 with a CDN like CloudFlare?
A: Yes — but you must temporarily disable proxying (orange cloud → grey cloud) for the challenge path, or use DNS-01 instead.
Q: What if my site is fully HTTPS with HSTS preload?
A: HTTP-01 still works because browsers don't control CA checks. The CA ignores HSTS and follows redirects carefully.
Q: Does ManageMyCert support HTTP-01 on IIS (Windows)?
A: Yes, as long as IIS serves the webroot path over HTTP on port 80 and accepts SSH connections via WinRM or OpenSSH.
Q: How often does renewal happen?
A: Let's Encrypt certificates last 90 days. ManageMyCert tries renewal starting at 60 days, then daily until success.
Q: Can I test without affecting production?
A: Yes — use Let's Encrypt's staging environment (rate limits: 50 per week, no trusted certificates).
Real-world example: a typical PHP application
Your app runs at /var/www/myapp/public (Laravel, WordPress, Symfony).
Webroot = /var/www/myapp/public.
ManageMyCert writes to /var/www/myapp/public/.well-known/acme-challenge/.
Because the challenge folder is inside your app's public root, no additional routing or .htaccess rules are needed. The CA fetches http://myapp.com/.well-known/acme-challenge/xyz, your web server serves it directly, and validation succeeds instantly.
Ready to automate?
ManageMyCert turns the multi-step ACME HTTP-01 dance into a simple form: webroot, SSH host, certificate path. No ACME client to install. No local agent. Just pure SSH + automation. For renewal, it happens before your certificate expires — silently, securely, and without any downtime.