<b>What actually distinguishes the three ACME challenge types, and why does TLS-ALPN-01 exist?</b>

<b>What actually distinguishes the three ACME challenge types, and why does TLS-ALPN-01 exist?</b>

Automatic Certificate Management Environment (ACME, RFC 8555) is the protocol behind Let's Encrypt. It proves you control a domain before issuing a certificate. The three challenges differ in what surface they probe, and the differences are operationally load-bearing.

HTTP-01 proves control of a web server: the CA fetches a token at http://domain/.well-known/acme-challenge/. It is simple but cannot validate wildcards and requires port 80 reachable.

DNS-01 proves control of the zone by placing a TXT record at _acme-challenge.domain. It is the only challenge that issues wildcards (*.domain), and it works without any inbound web traffic — but it demands DNS API automation, and a leaked API key is broader exposure than a single web path.

TLS-ALPN-01 (RFC 8737) is the subtle one. The CA opens a TLS connection on port 443 negotiating the acme-tls/1 protocol via ALPN (Application-Layer Protocol Negotiation, RFC 7301); the server answers with a special self-signed cert carrying the validation token in an extension. Its purpose is specific: validate entirely within the TLS layer, so a reverse proxy or load balancer can terminate ACME without touching the HTTP application or freeing port 80.

Further reading: RFC 8555 §8, RFC 8737, RFC 7301.

Bottom line: HTTP-01 probes a web path, DNS-01 probes the zone (and alone does wildcards), TLS-ALPN-01 probes the TLS layer itself — pick by which surface you can automate safely.