Acme.sh has a noop authentication mode, which is called the “stateless mode” (https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode). It requires the user to provide means for the web server to answer the http challenge. But as the protocol is very simple (answer the request sent to the .well-known/acme-challenge/$url path with the $url.$thumbprint string), it is quite easy to implement.
I think certbot should also support this mode - it is really a noop on its part.
In certbot it’s called webroot.
That’s a different method. The webroot authenticator puts a file to the specified directory during the authentication - it requires write permissions to the document root of the server. The stateless challenge does nothing at all; of course the web server has to be configured before starting the authentication. The file is not required to exist (!).
1 Like
Ah, I see. Curious it’s even possible 
Eventually, it’s just a http-01 challenge being used. Although I can appreciate the charm of this “mode”, I’m not fully sure of its usefulness.
It might even pose a security risk: if an attacker knows the webserver is configured like this, it can remotely trigger a validation, which automatically will pass, without any requirement on the attackers part. It can remotely fetch certificates for the server without any trouble.
I’m sure that’s not very good.
Edit:
Neil replied on Github posession of the private key is necessary to use this method, and as such, it’s actually safe.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.