Letsencrypt/Certbot configuration secuity

I've posted a related, but broader question in the Docker forum here, but I'll try to pare it down.

I'm following this guide for setting up Let's Encrypt with a Docker Nginx container.

I have the process working, but I had to deviate from the guide a bit. I want to make sure my final configurations are secure. I have two questions below these configuration files

Here is the final Nginx config from the guide:

server {
    listen 80;
    listen [::]:80;

    server_name [domain-name] www.[domain-name];
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;

    location / {
        return 301 https://[domain-name]$request_uri;

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name [domain-name];

    ssl_certificate /etc/nginx/ssl/live/[domain-name]/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/[domain-name]/privkey.pem;
    location / {
    	proxy_pass http://[domain-name];

Here is the Docker Compose file from the guide:

version: '3'

    image: nginx:latest
      - 80:80
      - 443:443
    restart: always
      - ./nginx/conf/:/etc/nginx/conf.d/:ro
      - ./certbot/www/:/var/www/certbot/:ro
    image: certbot/certbot:latest
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

Q1.) Is it safe to leave the location /.well-known/acme-challenge/ block in the Nginx config as it is in a production environment?

Q2.) Is it safe to leave the volume blocks in the Docker Compose config as they are in a production environment? Specifically, the ./certbot/www/:/var/www/certbot/:ro configuration in the Nginx block being able to be read by Nginx (and presumably anyone with the knowledge of how to browse there).


1 Like

Unless you're planning on putting security sensitive stuff in /var/www/certbot (which you obviously don't want to do): sure.

This is basically the same as my answer above: you're not supposed to put stuff in ./certbot/www/, only Certbot should do that. It should be empty most of the time, except for when it's time to renew or issue a new cert. So even if anyone would go to the /.well-known/acme-challenge/ location, they either should get a 404 file not found for any random request or a 403 forbidden error for the directory itself.


This excerpt is from the Let's Encrypt HTTP-01 challenge documentation:

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. That file contains the token, plus a thumbprint of your account key.

This may be far fetched, but imagine that a bad actor knew the moment your cert was being renewed and accessed the .well-known/acme-challenge directory at that moment and obtained its contents. Does the file that is being used for the challenge which contains "the token, plus a thumbprint of your account key" expose anything that a bad actor could use to compromise your system?

It is.

It does not.


All of what is being sent back and forth is generally considered as public information.
[or can be considered unclassified/insecure]

They can have the contents of that whole conversation and gain nothing.
The request [csr] doesn't contain the private key.
The response [cert and chain] are literally published [in public logs] immediately upon issuance.

I don't see what possible harm anyone/anything could do with any of that information/conversation.

The request is in HTTP [clear text]:

Anyone in that path will be able to see it.
You could use a public proxy and still be safe from any exploit.
Because the contents of that conversation is useless information [to everyone else].


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.