When SaaS Custom Domains issues TLS/SSL certificates for your custom domains, our servers validate that you control the domain names in that certificate using "challenges", as defined by the ACME standard.
Basically, "Challenge" is nothing more than a way for people to prove the ownership of a domain. We won't go into detail about technical implementation, but if you'd like to know more please read this article about challenge types by Let's Encrypt.
In SaaS Custom Domains, you can use HTTP-01 or DNS-01 challenge. Both have their pros and cons. Let us dig deeper into both to learn which one will work best for you.
HTTP-01 challenge
This is the default and most commonly used challenge when creating a custom domain on our platform. It works by pointing the custom domain to SaaS Custom Domains' servers.
DNS records
The domain is pointed to our servers by creating either A or CNAME DNS records with the specific values.
For the HTTP-01 challenge, the CNAME you need to create is:
Type | Host | Value |
CNAME | app.domain.com | in.saascustomdomains.com |
The alternative two A records are:
Type | Host | Value |
A | domain.com | 75.2.96.173 |
A | domain.com | 99.83.186.151 |
Usually, you want to use the CNAME record. However, some DNS providers do not allow CNAME records on root domains, so you should create the two alternative A records for those.
If using Cloudflare or any other DNS service that allows proxying through their servers, disable the proxying for these DNS records and enable DNS only.
How to create a domain with the HTTP-01 challenge?
To use the HTTP-01 challenge for a domain, select the HTTP-01 option when creating it.
For the API users, omit the challenge_type field when creating a domain because http01 is the default value. Alternatively, set the challenge_type to http01 explicitly.
Pros & Cons
The benefits of the HTTP-01 challenge are that it's easy to set up and the certificate is issued on-demand when the first request hits the custom domain.
The disadvantage is that you cannot use SaaS Custom Domains Shield, which gives you automatic Cloudflare DDoS protection, WAF, and CDN which makes your custom domains secure and super-fast to load.
DNS-01 challenge
This challenge has certain advantages over HTTP-01 but requires creating an additional DNS record. Some argue this makes DNS-01 more complex than HTTP-01 but we don't think so.
DNS records
The domain ownership is proved by creating an extra CNAME record that will look something like this:
Type | Host | Value |
CNAME | _acme-challenge.domain.com | _acme-challenge.domain.com.challenges.saascustomdomains.com |
This CNAME record will prove the ownership of the domain, but we still have to direct domain.com traffic to SaaS Custom Domains servers. For that, we have to add similar DNS records as for the HTTP-01 challenge.
You can either create a CNAME:
Type | Host | Value |
CNAME | app.domain.com | in.saascustomdomains.com |
Or the alternative two A records:
Type | Host | Value |
A | domain.com | 75.2.96.173 |
A | domain.com | 99.83.186.151 |
But, the great benefit of using the DNS-01 challenge is that you can enable SaaS Custom Domains Shield to make your domains secure and blazingly fast to load.
π‘ Tip: Enable SaaS Custom Domains Shield and secure your custom domains with Cloudflare while making them super-fast at the same time!
How to create a domain with the DNS-01 challenge?
To use the DNS-01 challenge for a domain, select the DNS-01 option when creating it.
For the API users, set the challenge_type field when creating a domain to dns01.
Pros & Cons
The benefit of the DNS-01 challenge is that you can enable Shield and have Cloudflare protect your custom domain and application from DDoS attacks while also making it load super fast due to Cloudflare CDN.
The disadvantage is that it requires an additional CNAME record to verify ownership and it may take a few minutes for the Certificate Authority to issue the certificate. This is a bit slower compared to the HTTP-01 challenge where the certificate is issued in a few seconds.
HTTP-01 or DNS-01 β which one is the best for me?
As always in life, there's no free lunch. The right challenge selection depends heavily on what you need.
But the rule of thumb we use is this, to get started quickly, use the HTTP-01 challenge. It's easy to set up, and the certificate is issued in seconds when the first request reaches the custom domain.
Once you're convinced the SaaS Custom Domains is a great fit for you, we'd recommend using the DNS-01 challenge. You get the benefits of Cloudflare DDoS protection and speed increase with Cloudflare CDN through SaaS Custom Domains Shield. The certificate takes a few minutes to be issued but that's not a problem as long as you set the expectations correctly with your users.
Until next time, keep building!
Need more help? Reach out via the Intercom chat widget and we'll be right with you!