CertMgr_NoVerifyHTTPChallenge – skip HTTP challenge self‑verification

🛠️

Parameter: CertMgr_NoVerifyHTTPChallenge

Short description: Skips the HTTP self-verification of the Let's Encrypt challenge if the server cannot resolve itself via DNS.

Profile

Parameter	`CertMgr_NoVerifyHTTPChallenge`
Category	Security / TLS
Component	Server
Available since	12.0.1
Supported versions	12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	0 = verify (default), 1 = skip self-check

Description

Before the actual ACME validation request, CertMgr checks itself whether the challenge file is reachable via the public hostname. In split-horizon DNS environments, where the server cannot resolve its own external name (different IP internally), this self-check fails permanently – and the renewal will not even start.

With =1, CertMgr skips this self-check; the ACME validation is still performed externally by Let's Encrypt.

Example configuration


CertMgr_NoVerifyHTTPChallenge=1

Notes & pitfalls

Only set this in documented split-horizon DNS setups – otherwise, detect issues earlier.

Other checks (e.g. CAA records) still take place externally.

Complements CertMgr_MaxRedirHTTPChallenge and CERTMGR_INTERVAL.

Does not affect DNS-01 challenges – they have a separate validation path.

The change takes effect after a restart of certmgr.