Skip to content

HTTP Approval

HTTP approval requires you to publish a file on the website for each hostname for which you want to obtain a certificate. For example, acquiring a certificate for host.example.com may require publishing a file at http://host.example.com/.well-known/pki-validation/d41d8cd98f00b204e9800998ecf8427e.txt. The certificate authority fetches the file and only issues a certificate if the correct file contents are found.

The file must be published under the /.well-known/pki-validation or /.well-known/acme-challenge directories, which are reserved by the Internet Assigned Numbers Authority for certificate approval. If you configure your web server to reverse proxy these two directories to SSLMate, SSLMate will automatically publish the required files, allowing fully automated provisioning and renewal of certificates.

The file must be available over HTTP on port 80. For standard certificates for hostnames starting with www., the file must be available at the hostname formed by removing the www. prefix. HTTP redirects are not followed unless all of the following conditions are met:

  • The redirect is to HTTPS (port 443) on the exact same hostname.
  • The path does not change.
  • The HTTP status code is 301, 302, 307, or 308.

If a redirect is followed to port 443, an SSL certificate must be present but it does not need to be valid.

HTTP approval is best if you're a SaaS provider or marketing agency who hosts websites on your customers' (sub-)domains. Once your customer points their (sub-)domain to your web server, you can use HTTP approval to obtain a certificate for the (sub-)domain, without your customer needing to respond to an email or publish an additional DNS record.

HTTP approval cannot be used to validate wildcard hostnames. You must use DNS or email instead.

To use HTTP approval, first configure your web server to proxy the two directories to SSLMate. Then, specify the --approval=http flag when ordering a certificate with the sslmate command, or set the approval field to http when ordering a certificate with the REST API.

To change an existing certificate to use HTTP approval, run: sslmate edit NAME --approval=http.