Is it ok to expose acme challenge/response?


#1

To get LE working on Elastic Beanstalk, I ended up using manual domain authentication, by adding the Acme challenge/response into my website assets. These are loaded into EB via git.

So, quick question, is there any security risk in putting the challenge/response into my (public) version control system (on GitHub)? After they’ve been used for authorization, of course. I’m assuming that the challenge/response is never reused.


#2

Why do you want to put the challenge into VCS? Clients should delete it when the challenge has been answered. But I think it should be safe, since it’s a onetime token and a sha256 hash of your public key.


#3

Because EB builds the servers out of VCS, it’s really hard to get the challenge onto EB without putting it into VCS. Of course, we can look forward to LE being built into the standard EB images, but until then we’re stuck doing it this way.


#4

Yep, that should be fine.