Certbot /.well-known/acme-challenge

Ilya picture Ilya · Jan 23, 2017 · Viewed 23k times · Source

Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP:

server {
 listen 80;

 location '/.well-known/acme-challenge' {
    root        /var/www/demo;
  }

 location / {
          if ($scheme = http) {
            return 301 https://$server_name$request_uri;
          }
 }

Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?

Any advise or links to read for about the this location appreciated. Thanks!

Answer

Renjith Thankachan picture Renjith Thankachan · Jan 23, 2017

Acme challenge link only needed for verifying domain to this ip address