How to generate a Let’s Encrypt certificate using the HTTP-01 challenge for your application via API

Web applications that use the HTTPS protocol require a Digital Certificate. When you redirect your traffic to Azion, you have the option to generate a Let’s Encrypt™ certificate, which is a free and secure way to encrypt data for your edge application. Azion automates the issuance, renewal, and deactivation of this TLS certificate through an internal certificate management solution.

Let’s Encrypt HTTP-01 Challenge through API

Azion now offers API-based issuance and renewal of Let’s Encrypt certificates using the HTTP-01 challenge, providing a streamlined process with no need for DNS TXT records. This offers a straightforward and convenient integration solution, particularly beneficial for customers managing numerous domains and hostnames.

Certificates auto-renew before expiring, removing maintenance windows, and maintaining existing quotas, billing, and permissions. Perfect for ecommerce platforms and hosting providers, this enhancement enables faster onboarding and secures customer sites in minutes without DNS changes.

For more information on these updates, visit the Digital Certificates documentation.

How to issue a Let’s Encrypt certificate via HTTP-01 challenge

Define the hostname to be used in the digital certificate (for example, mysite.azion.com) as common_name.
Ensure that the DNS for this hostname is pointed to Azion (see How to point your domain to Azion). This must be done in your DNS provider service.

a. If you need to issue a single certificate with multiple hostnames (alternative names), all hostnames must be directed to Azion; otherwise, the issuance will fail.
Once the DNS responds correctly, create or use an existing API Token (see Get started with Azion API).
Make a call to request a new certificate with the "http" challenge at the endpoint https://api.azion.com/v4/digital_certificates/certificates/request.

For example:

curl --request POST \
  --url https://api.azion.com/v4/digital_certificates/certificates/request \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer {yourtoken}' \
  --header 'Content-Type: application/json' \
  --data '{
  "name": "My certificate",
  "challenge": "http",
  "authority": "lets_encrypt",
  "common_name": "mysite.azion.com",
  "alternative_names": []
}'

The response will be similar to the one below:

{
  "state": "executed",
  "data": {
    "id": 127013,
    "name": "My certificate",
    "certificate": null,
    "issuer": null,
    "subject_name": [
      "mysite.azion.com"
    ],
    "validity": null,
    "status": "Pending",
    "type": "edge_certificate",
    "managed": true,
    "status_detail": "",
    "csr": null,
    "challenge": "http",
    "authority": "lets_encrypt",
    "key_algorithm": "",
    "active": true,
    "product_version": "2.0",
    "last_editor": "{your_user@azion.com}",
    "last_modified": "2025-06-25T21:32:21.016402Z"
  }
}

If the resulting status is Pending, the request was scheduled successfully.
The Azion platform will schedule the certificate issuance automatically even if you don’t have a workload with the related hostname published and active on Azion.

a. Azion itself deploys a service that responds to the Let’s Encrypt HTTP-01 challenge and completes it as soon as the issuance is finished.
Monitor the issuance status by querying the certificate details at the endpoint https://api.azion.com/v4/digital_certificates/certificates/{id} replacing {id} with the identifier provided in the previous response, such as "id": 127013.

a. In case of failure, an error message will be displayed in the status_detail property, such as "status_detail": "An error has occurred while issuing the requested certificate. Please verify the following domains CNAME: mysite.azion.com"
If the process was successful, the certificate will be issued and the status will be active.
Now you just need to associate your certificate with the desired workload and adjust the TLS/HTTPS properties as needed.