It is my understanding that the http-01 challenge can only be done over http (not https).
Does the Let’s Encrypt challenge verifier for http-01 ignore the Strict-Transport-Security header and use http anyway?
1 Like
Yes. HSTS headers are not stored persistently, and the CA server will follow redirects to https:// (it’s only important that the initial request is via http://, redirects may lead to an https:// URL).
3 Likes
Awesome! Thanks for the quick response! 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.