The advantage to HTTP validation is that it's simple. No messing with DNS or API keys. Just fire up your server software and tell it what your hostname is and everything else happens in the background automagically.

▲

abcdefg12 2 days ago | parent [-]

And you have two or more servers serving this domain you’re out of luck

▲

lmz 2 days ago | parent | next [-]

And this is different from DNS how exactly? The key and resulting cert still needs to be distributed among your servers no matter which method is used.

▲

cpach 2 days ago | parent [-]

With dns-01, multiple servers could, independently of each other, fetch a certificate for the same set of hostnames. Not sure if it’s a good idea though.

▲

lmz a day ago | parent [-]

Multiple keys and certs for the same hostname? Will the CA even issue that?

	▲	cpach a day ago \| parent [-]
		I guess it depends on the CA, but some do. Let’s Encrypt does, for example. I guess it’s useful for HA deployments, where load balancers might be spread out across multiple datacenters and stuff like that. NB that rate limits apply https://letsencrypt.org/docs/rate-limits/

▲

account42 2 days ago | parent | prev [-]

Not really, just forward .well-known/acme-challenge/* requests to a single server or otherwise make sure that the challenge responses are served from all instances.