diff --git a/docs/develop/change-log.md b/docs/develop/change-log.md
index 882e9f2..30395cb 100644
--- a/docs/develop/change-log.md
+++ b/docs/develop/change-log.md
@@ -6,7 +6,6 @@
 - feat: support host alias. add config `http.external_port`, `https.external_port`
 - conf: **break change** `https.http_redirect_to_https` move to `http.redirect_https`, and value is bool.
 - improve: improve change_status response text style (release JS SDK 2.3.0)
-- ci: use pebble root cert to check domain redirect.
 
 ### Version 2.2.4
 
diff --git a/server/src/acme.rs b/server/src/acme.rs
index 97962d1..1130ad8 100644
--- a/server/src/acme.rs
+++ b/server/src/acme.rs
@@ -165,29 +165,29 @@ impl ACMEProvider {
         debug!("domain:{domain} order state:{:#?}", state);
         assert!(matches!(state.status, OrderStatus::Pending));
         let authorizations = order.authorizations()?;
-        assert_eq!(authorizations.len(), 1);
-        let authz = authorizations.first().unwrap();
-        //for authz in &authorizations {
-        // get authorization
-        match authz.status {
-            AuthorizationStatus::Pending => {}
-            //AuthorizationStatus::Valid => continue,
-            _ => todo!(),
+        let mut names = vec![];
+        for authz in &authorizations {
+            match authz.status {
+                AuthorizationStatus::Pending => {}
+                AuthorizationStatus::Valid => continue,
+                _ => {
+                    warn!("authorization : {authz:#?}")
+                },
+            }
+            let challenge = authz
+                .challenges
+                .iter()
+                .find(|c| c.r#type == ChallengeType::Http01)
+                .ok_or_else(|| anyhow!("no http01 challenge found for domain:{domain}"))?;
+            let Identifier::Dns(identifier) = &authz.identifier;
+            let token = challenge.token.clone();
+
+            let key_authorization = order.key_authorization(challenge);
+            let challenge_domain_token_path = get_challenge_path(&challenge_path, identifier, &token);
+            fs::write(challenge_domain_token_path, key_authorization.as_str())?;
+            names.push(identifier.clone());
+            order.set_challenge_ready(&challenge.url)?;
         }
-        let challenge = authz
-            .challenges
-            .iter()
-            .find(|c| c.r#type == ChallengeType::Http01)
-            .ok_or_else(|| anyhow!("no http01 challenge found for domain:{domain}"))?;
-        let Identifier::Dns(identifier) = &authz.identifier;
-        let token = challenge.token.clone();
-
-        let key_authorization = order.key_authorization(challenge);
-        //TODO: save to
-        let challenge_domain_token_path = get_challenge_path(&challenge_path, &domain, &token);
-        fs::write(challenge_domain_token_path, key_authorization.as_str())?;
-        order.set_challenge_ready(&challenge.url)?;
-
         // get token
         let mut retries: u32 = 0;
         let state = loop {
@@ -211,7 +211,7 @@ impl ACMEProvider {
             bail!("domain: {domain} order is invalid")
         }
 
-        let mut params = CertificateParams::new(vec![identifier.to_string()]);
+        let mut params = CertificateParams::new(names);
         params.distinguished_name = DistinguishedName::new();
         let cert = Certificate::from_params(params).unwrap();
         let csr = cert.serialize_request_der()?;
diff --git a/server/src/service.rs b/server/src/service.rs
index c93841e..9d35db3 100644
--- a/server/src/service.rs
+++ b/server/src/service.rs
@@ -35,7 +35,9 @@ impl ServiceConfig {
     }
 }
 
-fn alias_redirect(uri: &Uri, https:bool, host:&str, external_port:u16) -> warp::reply::Response { // cors?
+// http to https
+// alias
+fn alias_redirect(uri: &Uri, https: bool, host:&str, external_port:u16) -> warp::reply::Response { // cors?
     let mut resp = Response::default();
     let schema = if https {"https://"} else {"http://"};
 
@@ -137,7 +139,7 @@ pub async fn create_http_service(
             let token = &path[ACME_CHALLENGE.len()..];
             {
                 if let Some(path) = challenge_path.read().await.as_ref() {
-                    let path = get_challenge_path(path, host, token);
+                    let path = get_challenge_path(path, origin_host, token);
                     let headers = req.headers();
                     let conditionals = Conditionals {
                         if_modified_since: headers.typed_get(),
@@ -163,7 +165,7 @@ pub async fn create_http_service(
                 Some(external_port) => (true, external_port),
                 None => (false, external_port)
             };
-            return Ok(alias_redirect(uri,https, host, external_port));
+            return Ok(alias_redirect(uri, https, host, external_port));
         }
         file_resp(&req, uri, host, domain_storage, origin_opt).await
     } else {
diff --git a/server/src/web_server.rs b/server/src/web_server.rs
index 78c6ee6..381c29e 100644
--- a/server/src/web_server.rs
+++ b/server/src/web_server.rs
@@ -59,15 +59,31 @@ pub struct Server {
 impl Server {
     pub fn new(conf: Config, storage: Arc<DomainStorage>) -> anyhow::Result<Self> {
         let default_http_redirect_to_https:Option<Either<&'static str, u16>> = conf.http.as_ref().and_then(|x| {
-            if x.redirect_https.is_some_and(|x|x) {
-                let external_port = conf.https.as_ref().and_then(|https| https.external_port);
-                if external_port.is_none() {
-                    Some(Either::Left("when redirect_https is undefined or true, https.external_port should be set"))
-                } else {
-                    external_port.map(|x|Either::Right(x))
+            match x.redirect_https {
+                Some(true) => {
+                    let external_port = conf.https.as_ref().and_then(|https| https.external_port);
+                    if external_port.is_none() {
+                        Some(Either::Left("when redirect_https is undefined or true, https.external_port should be set"))
+                    } else {
+                        external_port.map(|x|Either::Right(x))
+                    }
+                },
+                None => {
+                    match &conf.https {
+                        Some(https) => {
+                            let external_port = https.external_port;
+                            if external_port.is_none() {
+                                Some(Either::Left("when redirect_https is undefined or true, https.external_port should be set"))
+                            } else {
+                                external_port.map(|x|Either::Right(x))
+                            }
+                        },
+                        None => None,
+                    }
+                },
+                Some(false) => {
+                    None
                 }
-            } else {
-                None
             }
         });
         let default_http_redirect_to_https = match default_http_redirect_to_https {
diff --git a/tests/tests/acme_test.rs b/tests/tests/acme_test.rs
index ae5dadd..545e30c 100644
--- a/tests/tests/acme_test.rs
+++ b/tests/tests/acme_test.rs
@@ -143,6 +143,6 @@ async fn alias_acme() {
         wait_count += 1;
     }
     assert_files(domain, request_prefix, 1, vec!["index.html"]).await;
-    assert_redirects(request_prefix, vec![format!("https://{LOCAL_HOST}:8443/27"), "/27/".to_owned()]).await
+    assert_redirects(request_prefix, vec![format!("https://{LOCAL_HOST}:8443/")]).await
 }
 
diff --git a/tests/tests/common.rs b/tests/tests/common.rs
index 46380d5..9548e34 100644
--- a/tests/tests/common.rs
+++ b/tests/tests/common.rs
@@ -186,7 +186,8 @@ pub async fn assert_files(
 }
 pub async fn assert_redirect_correct(request_prefix: &str, target_prefix: &str) -> String {
     let client = ClientBuilder::new()
-        .add_root_certificate(get_root_cert())
+        //.add_root_certificate(get_root_cert()) // does not work
+        .danger_accept_invalid_certs(true)
         .redirect(Policy::none())
         .build()
         .unwrap();