Certbot /.well-known/acme-challenge

nginx lets-encrypt certbot
Ilya picture Ilya · Jan 23, 2017 · Viewed 23k times · Source

Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP: 

server {
 listen 80;

 location '/.well-known/acme-challenge' {
    root        /var/www/demo;
  }

 location / {
          if ($scheme = http) {
            return 301 https://$server_name$request_uri;
          }
 }

Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?

Any advise or links to read for about the this location appreciated. Thanks!

Answer

Renjith Thankachan picture Renjith Thankachan · Jan 23, 2017

Acme challenge link only needed for verifying domain to this ip address

Related questions

Issue using certbot with nginx

I'm actually working on a webapp, I use Reactjs for the frontend and Golang for the backend. Those 2 programs are hosted separately on 2 VMs on Google-Compute-Engine. I want to serve my app through https so I choose to use Nginx …

Read More
Configure Nginx to reply to http://my-domain.com/.well-known/acme-challenge/XXXX

I'm not able to get nginx to return the files I've put in /var/www/letsencrypt. nginx/sites-available/mydomain.conf server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name my-real-domain.com; include /etc/nginx/snippets/letsencrypt.conf; …

Read More
Certbot not creating acme-challenge folder

I had working Let's encrypt certificates some months ago (with the old letsencrypt client). The server I am using is nginx. Certbot is creating the .well-known folder, but not the acme-challenge folder Now I tried to create new certificates via ~/…

Read More