Cert renewal via Let's Encrypt: HTTP-01 or DNS-01 challenge, no idea which is better
HTTP-01 is simple but requires a public port 80 on the origin. DNS-01 works anywhere (behind firewalls, for wildcards, for split-horizon), but requires DNS API access. For wildcard certs DNS-01 is mandatory.
Try this first
- 1For a single host with public port 80: HTTP-01 is simplest, certbot or acme.sh handles it in 30 seconds.
- 2For a wildcard (*.vectel.nl) or a cert behind a firewall without public port 80: DNS-01 is mandatory.
- 3For DNS-01 you need a DNS host with API: Cloudflare, Route 53, deSEC, DigitalOcean, or a DNS provider with an ACME-DNS-01 plugin.
- 4Create an API token scoped to TXT-record-write on your zone, not a full-access account token. Store it in a secrets manager, not hardcoded.
- 5For multi-host setups: have one machine pull certs via DNS-01 and distribute them, or use a central ACME relay (smallstep CA, step-ca).
When to bring us in
If you have distributed infrastructure with multiple certs and no automation, we can set up DNS-01 with acme.sh or cert-manager.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.