HTTP-01 Challenge

This guide explains how to get and renew a certificate with the HTTP-01 challenge.

Note

The examples require that the lego binary has permission to bind to ports 80.
If your environment does not allow you to bind to these ports, please read Running without root privileges and Port Usage.

Using the built-in web server

Execute the following command:

lego run -d 'example.com' --http

Create a .lego.yml file with the following content:

certificates:
  foo:
    challenge: http-01
    domains:
      - example.com

And execute:

lego

Using an existing, running web server

If you have an existing server running on port 80, the --http option also requires the --http.webroot option. This just writes the http-01 challenge token to the given directory in the folder .well-known/acme-challenge and does not start a server.

The given directory should be publicly served as / on the domain(s) for the validation to complete.

If the given directory is not publicly served, you will have to support rewriting the request to the directory;

You could also implement a rewrite to rewrite .well-known/acme-challenge to the given directory .well-known/acme-challenge.

You should be able to run an existing webserver on port 80 and have lego write the token file with the HTTP-01 challenge key authorization to <webroot dir>/.well-known/acme-challenge/ by running something like:

Execute the following command:

lego run --http --http.webroot /path/to/webroot --domains example.com

Create a .lego.yml file with the following content:

challenges:
  mychallenge:
    http:
      webroot: /tmp/webroot

certificates:
  foo:
    challenge: mychallenge
    domains:
      - example.com

And execute:

lego