Certbot Certonly Manual - Not removing acme-challenge token after successful Certificate Issuance

I often renew my certificates by issuing the following command on the server A:

certbot certonly --manual -d my.example.com

Then on the server B I modify my Nginx config like so:

  location /.well-known/acme-challenge/ {
    add_header Content-Type text/plain;
    echo "acme-challenge-token";

Is there any danger of leaving this token publicly available after verification succeeded? Can someone do any harm just by knowing my token?


Probably not. The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.

1 Like

That’s what I thought, thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.