HTTP requests used by certbot

Hello all,

If I understand it correctly to verify the domain the SSL certificates are requested for by using an HTTP PUT request to place verification files under


Can this be localized? If there a way to limit locations/sizes for files like this to avoid flood attacks, etc?

Thanks in advance.



Hello @borepstein, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let's Encrypt is ACME v2(presently) based; see RFC 8555 - Automatic Certificate Management Environment (ACME)
And here are the ACME Challenge Types - Let's Encrypt

Further information is also available at

1 Like

No, that's not how it works. One option for verifying your control of a domain is to use an HTTP Challenge. That has the ACME Client placing a value on your local server. It then requests the Let's Encrypt ACME Server to look for them with an http:// GET request.

There are various ways the client does this. Sometimes with a file in a location, sometimes by modifying the web server config, or even manual methods (not the preferred way).

There is no HTTP PUT involved. The Client usually runs on your web server


The ACME client may PUT a file in the web server config [or document root path].
But the validation only GETs that file.

I haven't heard of any such attacks on /.well-known/ paths.
I do see plenty of "information gathering" therein, but never to any point of close to a DoS.


Nope, this is definitely not how it works, is there a document somewhere that gave you this impression? ACME relies on you either controlling your own server (for a domain) or controlling your DNS.