Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Certbot /.well-known/acme-challenge

Tags:

Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP: 

server {  listen 80;   location '/.well-known/acme-challenge' {     root        /var/www/demo;   }   location / {           if ($scheme = http) {             return 301 https://$server_name$request_uri;           }  }

Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?

Any advise or links to read for about the this location appreciated. Thanks!

like image 784
Ilya Avatar asked Jan 23 '17 09:01

Ilya

People also ask

What is the well known acme challenge?

The ACME CA challenges the client to host a random number at a random URL under /. well-known/acme-challenge on port 80. The CA verifies client control by issuing an HTTP GET request to that URL.

Where does Certbot store acme challenge?

If you want to use the http-01 challenge validation, make sure that Certbot can write to the challenge folder of the web server, usually located in /var/www/html/. well-known/acme-challenge.

Is Certbot an acme client?

Certbot. certbot is the granddaddy of all ACME clients.

What is letsencrypt challenge?

This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can't. It also allows you to issue wildcard certificates.

2 Answers

Acme challenge link only needed for verifying domain to this ip address

like image 91
Renjith Thankachan Avatar answered Oct 30 '22 04:10

Renjith Thankachan

You do not need to keep the token available once your certificate has been signed. However, there is not much harm in leaving it available either, as explained by a Certbot engineer:

The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.

like image 33
natevw Avatar answered Oct 30 '22 04:10

natevw
Sign in to Comment

Related questions

This site can’t provide a secure connection
How can I Interleave / merge async iterables?
Unable to install GCC using anaconda
How to fix "No reply dictionary received from LeakAgent request" error in Xcode?
Why doesn't std::deque allow specifying the bucket size?
FIRAnalyticsConnector: building for Mac Catalyst, but linking in object file built for iOS Simulator
React + backend - project structure when sharing code
Google Play In-App Review API: How often does it show the dialog roughly?
What is the difference between a Windows Forms App and Windows Forms App (.NET Framework)
How can I find which classes implement a given interface in Visual Studio?
Get a list of friends of a friend on Facebook
How to install Eclipse + PHP Development Tools (PDT) + Debugger on Mac in The Year 2011 [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!