I often renew my certificates by issuing the following command on the server A:
certbot certonly --manual -d my.example.com
Then on the server B I modify my Nginx config like so:
location /.well-known/acme-challenge/ {
add_header Content-Type text/plain;
echo "acme-challenge-token";
}
Is there any danger of leaving this token publicly available after verification succeeded? Can someone do any harm just by knowing my token?
Thanks
Probably not. The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.
That’s what I thought, thank you.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.