Technically it is possible to get unsolicited requests from Let's Encrypt servers if the attacker configures their own web server to redirect http-01 validation requests to some arbitrary URL on the victim server, and then initiates the http-01 validation for their own domain. So it could be possible to make actual Let's Encrypt validation servers send GET requests that look like exploit attempts (e.g., to trick the victim's WAF into blocking IPs of validation servers, disrupting subsequent legitimate renewals). And the ACME server will even send the GET response for such requests back to the attacker.
3 Likes
Yes, that is true. JamesLE mentioned this in post #3. I lost some precision while trying to simplify.
I could correct my statement by saying "You will only receive legitimate HTTP challenge ..."
This thread started with talk of POST and HEAD which would never be sent by an LE validation server.
5 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.