HTTP requests used by certbot

Hello all,

If I understand it correctly to verify the domain the SSL certificates are requested for by using an HTTP PUT request to place verification files under

http:///.well-known/.../

Can this be localized? If there a way to limit locations/sizes for files like this to avoid flood attacks, etc?

Thanks in advance.

Regards,

Boris.

Hello @borepstein, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let's Encrypt is ACME v2(presently) based; see RFC 8555 - Automatic Certificate Management Environment (ACME)
And here are the ACME Challenge Types - Let's Encrypt

Further information is also available at https://certbot.eff.org/

1 Like

No, that's not how it works. One option for verifying your control of a domain is to use an HTTP Challenge. That has the ACME Client placing a value on your local server. It then requests the Let's Encrypt ACME Server to look for them with an http:// GET request.

There are various ways the client does this. Sometimes with a file in a location, sometimes by modifying the web server config, or even manual methods (not the preferred way).

There is no HTTP PUT involved. The Client usually runs on your web server

3 Likes

The ACME client may PUT a file in the web server config [or document root path].
But the validation only GETs that file.

I haven't heard of any such attacks on /.well-known/ paths.
I do see plenty of "information gathering" therein, but never to any point of close to a DoS.

2 Likes

Nope, this is definitely not how it works, is there a document somewhere that gave you this impression? ACME relies on you either controlling your own server (for a domain) or controlling your DNS.

3 Likes