Renewal acme-challenge over https


#1

Hi,

it’s just a simple question, but I haven’t found an - explicit - answer for it, so I hope you can clariffy it for me.

I created a cert with certbot for an expressjs-Webserver. For this, I run a HTTP-only server once for the certbot to find the acme-challenge-file.

Now, as the server is running with ssl as wished, the acme-challenge-file for the renewal can be found ONLY over HTTPS (but with the same path). Will this be a problem later?

Thanks in advance and cheers, Christian


#2

Hi @airheart

yes, this is a problem.

Because the draft

https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-8.3

requires a http - GET via port 80 as first connect.

You can redirect this GET to https. But if you want to use http-01 - validation, you must have an open port 80.


#3

Thanks for your quick reply!

Damn … that’s what I thought.

So if I have an automatic redirect from http://…/acme-challenge/file to https://…/acme-challenge/file it should work?

What do you mean with “http-01 - validation”?

Cheers, Christian


#4

Yes, Let’s Encrypt will follow redirects, even to HTTPS.

This means the normal, HTTP-based method of confirming your ownership of the domain. Let’s Encrypt also supports other validation methods like a DNS-based one.


#5

Sounds good! I will keep an eye on this and try a renewal before it might break anything.

I understand

Great. Many thanks to you.

Cheers, Christian


#6

Yes, it’s the default for Certbot :slight_smile: