Letsencrypt/Certbot configuration secuity

I've posted a related, but broader question in the Docker forum here, but I'll try to pare it down.

I'm following this guide for setting up Let's Encrypt with a Docker Nginx container.

I have the process working, but I had to deviate from the guide a bit. I want to make sure my final configurations are secure. I have two questions below these configuration files

Here is the final Nginx config from the guide:

server {
    listen 80;
    listen [::]:80;

    server_name [domain-name] www.[domain-name];
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://[domain-name]$request_uri;
    }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name [domain-name];

    ssl_certificate /etc/nginx/ssl/live/[domain-name]/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/[domain-name]/privkey.pem;
    
    location / {
    	proxy_pass http://[domain-name];
    }
}

Here is the Docker Compose file from the guide:

version: '3'

services:
  webserver:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    restart: always
    volumes:
      - ./nginx/conf/:/etc/nginx/conf.d/:ro
      - ./certbot/www/:/var/www/certbot/:ro
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

Q1.) Is it safe to leave the location /.well-known/acme-challenge/ block in the Nginx config as it is in a production environment?

Q2.) Is it safe to leave the volume blocks in the Docker Compose config as they are in a production environment? Specifically, the ./certbot/www/:/var/www/certbot/:ro configuration in the Nginx block being able to be read by Nginx (and presumably anyone with the knowledge of how to browse there).

Thanks!

Unless you're planning on putting security sensitive stuff in /var/www/certbot (which you obviously don't want to do): sure.

This is basically the same as my answer above: you're not supposed to put stuff in ./certbot/www/, only Certbot should do that. It should be empty most of the time, except for when it's time to renew or issue a new cert. So even if anyone would go to the /.well-known/acme-challenge/ location, they either should get a 404 file not found for any random request or a 403 forbidden error for the directory itself.

This excerpt is from the Let's Encrypt HTTP-01 challenge documentation:

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. That file contains the token, plus a thumbprint of your account key.

This may be far fetched, but imagine that a bad actor knew the moment your cert was being renewed and accessed the .well-known/acme-challenge directory at that moment and obtained its contents. Does the file that is being used for the challenge which contains "the token, plus a thumbprint of your account key" expose anything that a bad actor could use to compromise your system?

It is.

It does not.

All of what is being sent back and forth is generally considered as public information.
[or can be considered unclassified/insecure]

They can have the contents of that whole conversation and gain nothing.
The request [csr] doesn't contain the private key.
The response [cert and chain] are literally published [in public logs] immediately upon issuance.

I don't see what possible harm anyone/anything could do with any of that information/conversation.

The request is in HTTP [clear text]:

Anyone in that path will be able to see it.
You could use a public proxy and still be safe from any exploit.
Because the contents of that conversation is useless information [to everyone else].

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.