The verification of domain name ownership is also called domain name verification. During the verification, the certificate authority (CA) verifies whether you own the domain name to be bound to the SSL certificate you want to apply for. When you apply for a Domain Validation (DV) SSL certificate, you must complete domain name verification before you can submit the certificate application to the CA for review. This topic describes how to prove the ownership of a domain name before you can submit the certificate application.

Prerequisites

The application for a DV SSL certificate is created, and the certificate is in the Pending Verification state. For more information about how to create a certificate application, see Apply for a certificate.

You can log on to the SSL Certificates Service console console and view all certificate application records on the Overview page.

Background information

You must complete domain name verification only when you apply for a DV SSL certificate.When you apply for an Organization Validation (OV) or Extended Validation (EV) SSL certificate, you do not need to complete domain name verification.

The following table describes the domain name verification methods supported by SSL Certificates Service and prerequisites for using different methods.
Domain name verification method Description Prerequisite
Automatic DNS verification If you select this method, SSL Certificates Service is authorized to modify the DNS records of the domain name. SSL Certificates Service automatically adds a TXT record to the DNS records of the domain name for verification. You do not need to manually modify the DNS records of the domain name.

If the CA verifies that the TXT record can be resolved, the verification is successful.

The domain name is registered on the Alibaba Cloud Domains service platform.

You can view the domain names registered by the current Alibaba Cloud account on the Domain Names page in the Alibaba Cloud Domains console.

Manual DNS verification If you select this method, you must manually modify the DNS records of the domain name. You must manually add a TXT record to the DNS records of the domain name for verification.

If the CA verifies that the TXT record can be resolved, the verification is successful.

The domain name is registered on a third-party platform. You have the permission to modify the DNS records of the domain name. This means that you have administrative rights on the domain name.
Upload a verification file to prove the ownership of a domain name If you select this method, you must manually download a unique verification file from the SSL Certificates Service console and upload the file to the specified verification directory of the web server.

If the CA verifies that the path of the unique verification file can be accessed, the verification is successful.

  • The domain name is registered on a third-party platform. You have the permission to write content to the root directory of the server where your website is deployed. This means that you have administrative rights on the server.
  • Ports 80 and 443 are enabled for the server. Listening to HTTP traffic and HTTPS traffic is supported.
    Notice The CA can initiate authentication requests only to ports 80 and 443. If ports 80 and 443 are not enabled for your server, do not use the file verification method.

Add a DNS record to prove the ownership of a domain name

  1. Log on to the SSL Certificates Service console. Go to the domain name verification step.
    You can go to the domain name verification step in one of the following ways:
    • Submit an application for a DV SSL certificate. After you enter the application information, the system goes to the domain name verification step.
    • In the certificate list, find your certificate that is in the Pending Verification state and click Verify in the Actions column. Then, the system goes to the domain name verification step.
  2. If you set Domain Verification Method to Automatic DNS Verification in the Enter Application step, click Verify. If you set Domain Verification Method to Manual DNS Verification in the Enter Application step, add a TXT record to the DNS records of the domain name by using the TXT record value displayed in the Verify Information step. Then, click Verify.
    In the following example, Alibaba Cloud DNS is used to demonstrate how to add a TXT record to the DNS records of a domain name.
    Note If your domain name is registered on a third-party platform, log on to the system of your DNS service provider and add a TXT record to the DNS records of the domain name.
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click the domain name for which you want to add a TXT record.
    3. On the DNS Settings page, click Add Record.
    4. In the Add Record panel, follow the instructions in the Verify Information step in the SSL Certificates Service console to add the specified TXT record, and click OK.
      After the TXT record is added, it appears in the record list. By default, the TXT record takes effect. This means that its Status is Normal.

      After you add the TXT record, go back to the SSL Certificates Service console and click Verify in the Verify Information step.

  3. After the verification is complete, click Submit.
    If the verification fails, refresh the page and prove the ownership of the domain name again.
  4. Wait for the CA to review the certificate application.
    The CA issues the certificate to you only after the CA approves your certificate application. In the certificate list, you can view the progress of the certificate application that you submitted or obtain the issued certificate.

    If your certificate application is rejected by the CA, troubleshoot the issue by following the instructions provided in the certificate list.

  5. After the certificate is issued, delete the TXT record that you added in Step 2.
    Notice If Automatic DNS Verification is selected, SSL Certificates Service automatically adds a TXT record to the DNS records of the domain name. However, SSL Certificates Service does not automatically delete the TXT record after the certificate is issued. We recommend that you manually delete the TXT record after the certificate is issued.

Upload a verification file to prove the ownership of a domain name

  1. Log on to the SSL Certificates Service console. Go to the domain name verification step.
    You can go to the domain name verification step in one of the following ways:
    • Submit an application for a DV SSL certificate. After you enter the application information, the system goes to the domain name verification step.
    • In the certificate list, find your certificate that is in the Pending Verification state and click Verify in the Actions column. Then, the system goes to the domain name verification step.
  2. If you set Domain Verification Method to File Verification in the Enter Application step, follow the instructions provided in the Verify Information step to create a verification directory named .well-known/pki-validation in the root directory of the web application on the server and upload the unique verification file fileauth.txt to the verification directory.
    After the preceding configuration is complete, enter https://<yourdomain>.com/.well-known/pki-validation/fileauth.txt or http://<yourdomain>.com/.well-known/pki-validation/fileauth.txt in a browser to access the unique verification file. If the unique verification file can be accessed, the verification is successful.
    The procedure for performing the configuration varies based on the operating system of the server and the directory structure of the web application that is installed on the server. In the following example, NGINX installed on an Elastic Compute Service (ECS) Linux instance is used to demonstrate how to upload the unique verification file to prove the ownership of a domain name.
    Note We recommend that you seek help from the server administrator.
    1. Click unique verification file to download the package to your on-premises machine and decompress the package.
      The downloaded file is a ZIP package. After the package is decompressed, you can obtain the unique verification file fileauth.txt. The file is valid only for three days after it is downloaded. If you fail to complete the file verification within the time limit, you must download the unique verification file again.
      Notice After you download and decompress the unique verification file, do not perform operations on the file. For example, you cannot open, edit, or rename the file.
    2. Connect to your server.
      For more information, see Connect to an ECS instance.
    3. Run the following commands to create a verification directory named .well-known/pki-validation/ in the root directory of the web application on the server. The default root directory for NGINX is var/www/html/.
      cd /var/www/html
      mkdir .well-known
      cd .well-known
      mkdir pki-validation
      cd pki-validation
    4. Use Cloud Assistant to upload the unique verification file fileauth.txt to the verification directory var/www/html/.well-known/pki-validation/.
      For more information, see Upload files to ECS instances.
    5. Run the following command to verify whether the unique verification file is uploaded to the verification directory:
      ls

      If fileauth.txt is included in the returned result, the unique verification file is uploaded to the verification directory.

  3. Click Verify.
    The CA will try to access https://<yourdomain>.com/.well-known/pki-validation/fileauth.txt and http://<yourdomain>.com/.well-known/pki-validation/fileauth.txt in turn to verify whether the unique verification file is correctly configured. If the preceding URLs can be accessed, the verification is successful.
    Notice If the HTTPS service is enabled for your domain name, make sure that the preceding HTTPS URL is accessible and the certificate is trusted. Otherwise, we recommend that you temporarily disable the HTTPS service for the domain name to avoid affecting the verification.
  4. After the verification is complete, click Submit.
    If the verification fails, refresh the page and prove the ownership of the domain name again.
  5. Wait for the CA to review the certificate application.
    The CA issues the certificate to you only after the CA approves your certificate application. In the certificate list, you can view the progress of the certificate application that you submitted or obtain the issued certificate.

    If your certificate application is rejected by the CA, troubleshoot the issue by following the instructions provided in the certificate list.

  6. After the certificate is issued, delete the unique verification file that you uploaded in Step 2.