Introduction

An ACME HTTP-01 challenge only works if the certificate authority can fetch a very specific token over plain HTTP at the expected path. Redirects often break that flow by sending validation traffic to the wrong hostname, forcing HTTPS too early, or rewriting the challenge path through application logic. The fix is to make the challenge path reachable exactly as the CA expects until issuance completes.

Symptoms

  • Certificate issuance or renewal fails with HTTP-01 validation errors
  • The token URL redirects multiple times before loading or returns the wrong content
  • Redirects to HTTPS, www, or another host appear during validation
  • The problem started after adding CDN rules, canonical redirects, or app routing middleware
  • Manual browser checks do not match the validation behavior shown by the certificate provider

Common Causes

  • HTTP requests to /.well-known/acme-challenge/ are redirected to a different host or scheme
  • CDN or reverse proxy rules intercept the challenge path before it reaches the validation file
  • Application routing rewrites or blocks the ACME challenge location
  • The token is served from the wrong document root or container instance
  • Security rules require authentication or filtering on the challenge path

Step-by-Step Fix

  1. Request the exact challenge URL over plain HTTP and record every redirect hop before the response completes.
  2. Verify whether the validation path stays on the same hostname and remains reachable without forced authentication or app rewrites.
  3. Review web server, CDN, and proxy rules that perform HTTP-to-HTTPS, www, or canonical host redirects.
  4. Add an exception for /.well-known/acme-challenge/ so the CA can fetch the token without being bounced into a different path or scheme unexpectedly.
  5. Confirm the token file is being written to the document root or validation endpoint that the live web server actually serves.
  6. Check container, load balancer, or multi-node deployments to make sure the challenge file is available on every instance handling port 80.
  7. Retry issuance only after the challenge URL returns the exact expected token body directly.
  8. Validate that normal redirects still work for users once the challenge path exception is in place.
  9. Keep certificate automation and redirect policy documented together so future SEO or security rewrites do not break renewals.