HTTP Strict Transport Security with http-01 challenge


#1

It is my understanding that the http-01 challenge can only be done over http (not https).

Does the Let’s Encrypt challenge verifier for http-01 ignore the Strict-Transport-Security header and use http anyway?


#2

Yes. HSTS headers are not stored persistently, and the CA server will follow redirects to https:// (it’s only important that the initial request is via http://, redirects may lead to an https:// URL).


#3

Awesome! Thanks for the quick response! :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.