ANS Documentation

Improve This Doc
  • Cloud
  • Desktop and Office Solutions
  • Domains and DNS management
    • Domain Name Management
    • SafeDNS
    • SSL Certificates
      • Purchasing and Renewing
      • Generating A CSR (Certificate Sigining Request)
      • Validating your Certificate
      • ANS SSL Types
      • Self Signed Certificates
      • Using Server Name Indication (SNI)
      • Extended Validation Certificates
      • Generating a PFX file
      • Let’s Encrypt
    • Reverse DNS Records
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Domains and DNS management >
  • SSL Certificates >
  • Let’s Encrypt >
  • How Let's Encrypt Works

How Let’s Encrypt works¶

Let's Encrypt uses a 2 step process to issue a certificate:

  • Domain Validation, to prove you own the domain

  • The ability to issue, renew or revoke certificates thereafter

There a few distinct types of domain validation available, so you will need to first assess which method best suits your needs.

Warning

If your sites or services use our DDoSX/Webcel/WAF services you will not be able to use Let’s Encrypt certificates currently.

Types of challenges¶

HTTP-01¶

HTTP-01 validation is the most common type of SSL challenge method. This involves using an ACME client to communicate with Let's Encrypt by placing a file containing a unique token in the following directory on your website

<docroot>/.well-known/acme-challenge/<youruniquetoken>

This needs to be accessible over port 80 and cannot include a redirect to an IP address. This can validate up to 10 redirects deep, and does not care about HTTPS validation, so will allow for self-signed certificates along the way.

It is also easy to automate, which is why tools like certbot and AutoSSL among others are available to make use of this technology.

A limitation of this challenge is you cannot request wildcard certificates.

If you have multiple web servers, you have to make sure the file is available on all of them.

Note

You will need to ensure that your server has either port 80 open inbound/outbound, on both your firewall and your software firewall (eg. IPTables, firewalld, Plesk firewall, CSF). If having any issues, please do contact our support team.

DNS-01¶

The DNS-01 challenge method requires you to add a TXT record to prove domain ownership.

This can be useful if your service is not accessible over port 80, or if you have multiple web servers to cover. This challenge method also allows for you to issue wildcard certificates, along with CNAME challenge delegation

If using an API, such as our SafeDNS API, this is quick and easy to add and to automate.

Note

You should always factor in DNS propagation when using this challenge method,

TLS-ALPN-01¶

TLS-ALPN-01 challenges are currently not supported by certbot. This type of challenge uses HTTPS validation via TLS, but requires for the server to be using the ALPN protocol. As this is not very common currently, we would recommend you use HTTP-01 or DNS-01 as your challenge method.

Rate Limits¶

Let’s Encrypt has rate limits in-built to prevent abuse of the system. This may affect how and when you issue your certificates.

More information on these limits are at the following link: Let’s Encrypt Rate Limits

Next Article > ACME.sh

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ