Apr 11, 2026 · Written by: Netspare Team
TLS Certificates in 2026: ACME, HTTP-01, DNS-01, and Wildcard Domains
Automated certificate authorities such as Let’s Encrypt use ACME challenges to prove you control the domain. HTTP-01 is simple behind a single web server; DNS-01 unlocks wildcards and origins hidden from the public web.
Renewal is not magic—firewall changes, CDN “orange cloud” modes, and stale credentials break automation silently until users see browser warnings.
HTTP-01: how it works and fails
The CA asks your ACME client to serve a random token at `http://<domain>/.well-known/acme-challenge/...`. Any reverse proxy must forward that path to the machine running the client.
If only HTTPS is exposed or WAF rules block the path, validation fails—test with curl from the public internet.
DNS-01: wildcards and internal names
DNS-01 requires a TXT record at `_acme-challenge.<domain>`. It suits wildcard certificates and split-horizon setups where HTTP cannot reach the origin.
You must protect API keys for DNS providers; leaked tokens are full domain takeover vectors.
Renewal windows and monitoring
- Let’s Encrypt certs are 90-day by design—automate, don’t calendar-reminder manually.
- Alert on cert expiry at 14/7/1 days as a backstop even if automation exists.
- After migrating CDN or proxy, rerun a forced renewal in staging.
Cipher suites and protocol versions
Disable TLS 1.0/1.1 for public sites; keep TLS 1.2+ with modern AEAD ciphers. Test with SSL Labs or `openssl s_client` after changes.
HTTP/2 and HTTP/3 have their own ALPN requirements—certificate problems mask as protocol downgrade errors.
Frequently asked questions
Can I get a certificate for an IP address from Let’s Encrypt?
Why did renewal work on server A but not B?
Netspare Team
More posts from this authorYou may also like
- Web Application Firewalls: What They Block, What They Miss, and How to Test
A WAF is not a replacement for secure code or patching. Learn rule modes, false positives, and why attackers probe for logic flaws WAFs cannot see.
- A Practical DDoS Readiness Checklist for SMEs
DDoS resilience is a process, not a one-time purchase. Teams that prepare operational playbooks recover faster and protect brand trust.
- DNS Propagation and TTL: What Site Owners Actually Need to Know
Changing DNS records feels instant in the control panel, but resolvers cache answers for as long as your TTL says. Learn how to plan cuts with minimal user-visible flapping.
- Object Storage or Local VPS Disk: Choosing for Video, Backups, and Large Files
Local SSD is fast for databases and code; S3-compatible object storage scales egress billing and durability differently. Understand trade-offs before you fill a single volume.