Reputation: 1150
Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP:
server {
listen 80;
location '/.well-known/acme-challenge' {
root /var/www/demo;
}
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?
Any advise or links to read for about the this location appreciated. Thanks!
Upvotes: 31
Views: 39719
Reputation: 3181
In case someone finds this helpful, I just asked my hosting customer support and they explained it as per following...
Yes, “well-known” folder is automatically created by cPanel in order to validate your domain for AutoSSL purposes. AutoSSL is an added feature of cPanel/WHM which offer you free SSL certificate for your domains, its also known as self-signed SSL certificate. The folder .well-known created while the time of the domain validation process as a part of AutoSSL installation
And it is not the file that needs to be removed, It does not cause any issue.
Upvotes: 0
Reputation: 17932
You do not need to keep the token available once your certificate has been signed. However, there is not much harm in leaving it available either, as explained by a Certbot engineer:
The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.
Upvotes: 11
Reputation: 1
The period before the file name (.well-known
) means it is a hidden directory. If your server gets hacked the information is available to the hacker.
Upvotes: -10
Reputation: 4346
Acme challenge link only needed for verifying domain to this ip address
Upvotes: 14