It is my understanding that the http-01 challenge can only be done over http (not https).
Does the Let’s Encrypt challenge verifier for http-01 ignore the Strict-Transport-Security header and use http anyway?
It is my understanding that the http-01 challenge can only be done over http (not https).
Does the Let’s Encrypt challenge verifier for http-01 ignore the Strict-Transport-Security header and use http anyway?
Yes. HSTS headers are not stored persistently, and the CA server will follow redirects to https://
(it’s only important that the initial request is via http://
, redirects may lead to an https://
URL).
Awesome! Thanks for the quick response!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.