HTTP-01 vs DNS-01: Which Should You Use for TLS Validation?

When certificate issuance fails, the real problem is often not "TLS" in the abstract.

It is the validation method.

The two validation paths most teams run into are HTTP-01 and DNS-01. Both prove domain control, but they fail for very different reasons and fit different environments.

The short answer

Use HTTP-01 when:

• the domain already serves web traffic publicly
• port 80 is reachable
• you want the simplest normal-domain automation path

Use DNS-01 when:

• you need wildcard certificates
• the service is not publicly reachable on the web
• multiple servers or proxy layers make HTTP token delivery awkward

What HTTP-01 does

HTTP-01 proves domain control by placing a token at a standard web path:

/.well-known/acme-challenge/...

The certificate authority fetches that token over HTTP to confirm that the requester controls the web property for the hostname.

This is why HTTP-01 is usually the easiest method for standard websites. If the application already serves public web traffic and your automation can write the challenge file correctly, the flow is straightforward.

What DNS-01 does

DNS-01 proves domain control by publishing a TXT record under _acme-challenge.<domain>.

The certificate authority queries DNS for that TXT value and checks whether it matches the expected token.

This is more operationally complex than HTTP-01, but it works in situations that HTTP-01 cannot handle well.

The most important differences

HTTP-01 requires web reachability

If the certificate authority cannot reach the expected token on the public web path, validation fails.

That means HTTP-01 is sensitive to:

• blocked or unavailable port 80
• reverse-proxy or CDN layers that do not pass the token through correctly
• multi-server setups where some servers have the token and others do not
• redirects or rewrites that interfere with the challenge path

DNS-01 depends on authoritative DNS control

DNS-01 avoids the web path entirely, but it depends on publishing the TXT record in the right authoritative DNS zone and waiting for that change to become visible where the CA checks.

That makes it sensitive to:

• editing DNS at the wrong provider
• propagation delay
• incorrect _acme-challenge hostname placement
• stale nameserver assumptions during migrations

Wildcard support is the biggest fork in the road

If you need a wildcard certificate, DNS-01 is usually the answer.

HTTP-01 is not the right path for wildcard issuance.

That single limitation is enough to decide the method for many teams.

When HTTP-01 is the better choice

HTTP-01 is usually better when:

• the hostname is already a public website
• you do not need a wildcard
• the validation token can be written by the same system that serves the site
• the environment is simple enough that the challenge file reaches every active server

In other words, HTTP-01 is often the best fit for normal web apps with predictable deployment and direct web serving.

When DNS-01 is the better choice

DNS-01 is usually better when:

• you need wildcard coverage
• the service is internal or not publicly reachable over HTTP
• traffic is fronted by layers that make HTTP challenge delivery brittle
• you want validation that is independent of the running web path

It is also often the safer choice when infrastructure is spread across multiple web servers or regions and synchronizing a challenge file everywhere is more fragile than publishing one DNS record.

The security tradeoff most people miss

DNS-01 often requires API-based DNS automation.

That is powerful, but it means your automation needs credentials that can modify DNS. If those credentials are broad and live on a web server, the blast radius can be much larger than an HTTP-01 setup.

So the method choice is not just about convenience. It also affects credential exposure.

Why this matters for domain lookup

A domain lookup helps you answer the setup questions that usually decide which validation method will behave better:

• Which nameservers are authoritative?
• Is the hostname behind a reverse proxy or CDN?
• Is the domain using CAA that could block issuance?
• Is the DNS layer changing during a migration?

Those signals do not issue the certificate by themselves, but they explain why one validation path is more fragile than another.

A practical decision rule

Choose HTTP-01 if:

• the hostname already serves public traffic
• port 80 is available
• you only need normal hostnames
• your web path is simple and stable

Choose DNS-01 if:

• you need a wildcard
• the service is internal or heavily abstracted behind delivery layers
• the web tier is too indirect to trust for token delivery
• you can safely automate DNS updates

Common mistakes

"HTTP-01 is always easier"

Only in straightforward web setups.

Once proxies, CDNs, multiple servers, or unusual rewrites are involved, HTTP-01 can become the more fragile option.

"DNS-01 is always better"

Not necessarily.

It adds DNS automation, propagation timing, and credential-management complexity that many teams underestimate.

"If the site loads, HTTP-01 should work"

Not always.

A site can load normally while the validation path is blocked, rewritten, cached incorrectly, or served by the wrong backend.

FAQ

Which validation method should most normal websites use?

Usually HTTP-01, if the site is public, port 80 works, and no wildcard certificate is needed.

When is DNS-01 the better choice?

When you need wildcard certificates, when the site is not directly reachable over HTTP, or when the web delivery path is too indirect for reliable token handling.

Can I use HTTP-01 for wildcard certificates?

No. Wildcard issuance normally pushes you toward DNS-01.

Why does DNS-01 feel slower?

Because it depends on DNS changes becoming visible at the authoritative layer and at the resolvers or vantage points used during validation.