HTTP Strict Transport Security with http-01 challenge

voutasaurus · July 28, 2016, 1:23am

It is my understanding that the http-01 challenge can only be done over http (not https).

Does the Let’s Encrypt challenge verifier for http-01 ignore the Strict-Transport-Security header and use http anyway?

pfg · July 28, 2016, 1:42am

Yes. HSTS headers are not stored persistently, and the CA server will follow redirects to https:// (it’s only important that the initial request is via http://, redirects may lead to an https:// URL).

voutasaurus · July 28, 2016, 2:00am

Awesome! Thanks for the quick response!

system · August 27, 2016, 2:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt http challenge uses HSTS - and it shouldn't Help	8	336	March 29, 2025
What happens with a challenge if HSTS is enabled, but wrong/no certificate provided? Issuance Tech	2	1851	May 26, 2016
Acme challenges over HTTPS Feature Requests	38	13264	April 10, 2022
Certbot command initiate certificate verification over ssl Server	3	1481	July 15, 2017
Support for HTTPS only with http-01 challenge? Issuance Tech	50	23936	June 18, 2016

HTTP Strict Transport Security with http-01 challenge

Related topics