How to set up a fileauth.txt file for domain authentication
Jun 24, 2021 | Jindřich Zechmeister
In today's article, we will look at the option of setting up an authentication file for domain verification; this verification is performed when requesting a certificate for all domains included in the certificate order. The verification is done only automatically and therefore it is necessary to fulfill all requirements to avoid verification problems.
The website works on a bare domain
In this case, you verify the bare domain in the basic form, which is easy. All you have to do is upload the verification file to the /.well-known/pki-validation/ folder on the FTP domain. Then it will be accessible at http://domain-name.com/.well-known/pki-validation/fileauth.txt and the authority will verify it immediately.
The website can run on both HTTP and HTTPS, provided the connection is trusted.
The web is redirected to WWW
Websites are often used in the form with WWW at the beginning and many web server administrators redirect to www.domain-name.com from the bare domain domain-name.com However, this redirection causes a file authentication collision.
Why does the collision occur? Certification authorities are bound by common rules to verify a domain in its basic form. It is not possible to verify the domain domain-name.com via the subdomain www.domain-name.com, because it is a different DNS name (FQDN). In this case, the order is waiting for a separate verification of the bare domain. Manual inspection and verification are not possible. On the contrary, they are prohibited.
You do not have to cancel the site configuration and redirection because the authentication file can be excluded from redirection. The rule in the htaccess file, which is used on the most common Apache web server, looks like this with the redirection:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/fileauth.txt
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteCond %{HTTP_HOST} ^(?:www.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]
Redirecting the entire website to https://www.domain-name.com still works with this rule, but it does not apply to the verification file and it is available at http://domain-name.com/.well-known/pki-validation/fileauth.txt. The verification will then proceed smoothly.
Possible problems with file verification
Even with this simple verification method, problems can be encountered; however, they are always caused on the server side. A typical example is running a server on a non-standard port. The CA verifies the fileauth.txt file on standard ports 80 and 443; it is not possible to use other non-standard ones. If this is a problem, it is advisable to choose authentication using a DNS record.
The second common option is an untrusted certificate on the web. If the CA's authentication robot is redirected to HTTPS and encounters an untrusted certificate, it will be an insurmountable problem for it. There are various reasons for this - expiration, untrusted CA, use on the wrong domain.... In this case, it is better to turn HTTPS off for a very short time, or use the rule to exclude the file from redirection, which we described above. You can also always use DNS record authentication, which does not slow down the process in any way.
Contact support in case of problems
The above tips will help you resolve domain authentication using the fileauth.txt file with no problems. However, SSLmarket customer support is available to you if necessary and will resolve any domain authentication issues.