My current certificate provider fails the http challenge based on they only check the domain root and cannot check https://www.(domainname).com for the file, they ONLY check http://(domainname).com
Some users have www. in their posts, and no one seems to say that its invalid. But before I switch to letsencrypt I need to know if this works.
Sorry if this is a stupid question.
Let me restate your question to make sure I’m understanding correctly. You have a domain
example.com and you want to get a certificate for only
www.example.com and have the CA validate ownership of that domain by only sending an HTTP challenge request to a path on
If my understanding is correct this will work with Let’s Encrypt.
If you wanted a certificate for both
example.com then Let’s Encrypt will send a challenge request for both domains which it sounds like may cause you the trouble you’re trying to avoid.
In general Let’s Encrypt makes you demonstrate control of all of the domains you want the certificate to cover. If you aren’t able to do that for some domains you will have to fix the problem that prevents it, or omit them from the certificate (in which case users that see that certificate for the omitted domain name will get an error about a hostname mismatch).
Hope that helps,
OK, that sounds right.
The Certificates are for www.example.com and the apex records redirect to www at the DNS.
LIke i said, current issuer says they will ONLY check example.com and ignore www.example.com even tho the certificate is for www.example.com
Understood. Then it sounds like you'll be happier with Let's Encrypt
However, if you can’t post things at example.com itself, you won’t be able to get a Let’s Encrypt certificate that covers example.com without the www (but maybe that’s OK for you).
Basically, Let’s Encrypt lets you get certificates that cover any domain name or subdomain, as long as you can prove your control of that exact name. If you can affect www.example.com, you can get a certificate that covers that; if you can affect example.com, you can get a certificate that covers that. If you can affect deep.low-level.subdomain.example.com, you can get a certificate that covers that.
With Let’s Encrypt, the registrant of example.com can prevent issuance for subdomains by blacklisting issuance, for example with the CAA policy mechanism, but currently cannot cause or request issuance for subdomains merely by proving control of example.com at the top level.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.