[IIS-ers!] Thoughts on the danger of writable, known acme-challenge folder?


I am an IIS-er looking to port all to GNU/Linux, sooner rather than later.
But while I’m in Windows…

Have there been any thoughts from IIS folks; on possible dangers of having a known, writable, acme-challenge folder?

Like, as in hacking?

Or other types of issues.

Thank you!

I understand that one could choose the DNS verification route as well…

#IIS #Windows #IIS-er


Hi @LEForTheWin,

Writable to whom or by whom? Like by the general public, or by other software on your server?


I am only [really] concerned about the outside world knowing that there is a set, known, writable folder on many Let’sEncrypt-certed sites.

And looking for any thoughts on controlling that short of scripts to make folders writeable/unwritable, wrapped around recert times, etc.


Again, writable by whom? Every folder is writable by someone, but there’s no reason that the challenge directory needs to be writable by anyone other than root. And if an attacker has root privileges, you’ve got bigger problems than certificate mis-issuance.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.