HTTP approval requires you to publish a file on the website for
each hostname for which you want to obtain a certificate. For example, acquiring a
host.example.com may require publishing
a file at
The certificate authority fetches the file and only
issues a certificate if the correct file contents are found.
The file must be published under the
/.well-known/acme-challenge directories, which are reserved
by the Internet Assigned Numbers Authority for certificate approval.
If you configure
your web server to reverse proxy these two directories to SSLMate, SSLMate will automatically
publish the required files, allowing fully automated provisioning and renewal of certificates.
The file must be available over HTTP on port 80.
For standard certificates for hostnames starting with
www., the file must be available at the hostname formed by removing
HTTP redirects are not followed unless all of the following conditions are met:
- The redirect is to HTTPS (port 443) on the exact same hostname.
- The path does not change.
- The HTTP status code is 301, 302, 307, or 308.
If a redirect is followed to port 443, an SSL certificate must be present but it does not need to be valid.
HTTP approval is best if you're a SaaS provider or marketing agency who hosts websites on your customers' (sub-)domains. Once your customer points their (sub-)domain to your web server, you can use HTTP approval to obtain a certificate for the (sub-)domain, without your customer needing to respond to an email or publish an additional DNS record.
HTTP approval cannot be used to validate wildcard hostnames. You must use DNS or email instead.
To use HTTP approval, first configure your web server to
proxy the two directories to SSLMate.
Then, specify the
--approval=http flag when ordering a certificate
sslmate command, or set the
ordering a certificate with the REST API.
To change an existing certificate to use HTTP approval, run:
sslmate edit NAME --approval=http.