Setting challenge location using manual mode?


#1

Is there a way to set where the challenge is located when attempting to generate a certificate using manual mode? I am working on migrating a domain from a host where I have literally no access to the underlying server (the old site is built in Drupal and fully managed by a third party) and wanted to generate the certificate beforehand to ease the migration process, but I cannot put the challenge file in the location that it wants me to. (We’ve asked for just FTP access but the host is unwilling to hand even that out.) Simply being able to specify a prefix would be good enough here - there’s a file manager within Drupal that I can do this with - but I can’t seem to find anything that would allow that.

Please fill out the fields below so we can help you better.

My domain is: uaminc.com

I ran this command: letsencrypt-auto certonly --manual -d uaminc.com -d www.uaminc.com

It produced this output: the proper output

My operating system is (include version): Ubuntu 14.04

My web server is (include version): 2.4.7

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @jkachel,

Nope, the challenge location is set by the certificate authority and is always consistent as a matter of policy. The reason for this is that there are often people who can change part of a site’s content but aren’t the site administrator. If people could choose their own challenge paths, they might be able to set the challenge path to be a part of the site where they can upload or post and then get a certificate for the site as a whole, without being the administrator. So by CA policy you’ll have to be able to make changes in /.well-known/acme-challenge in order to complete this kind of challenge.

Are you familiar with the other two challenge types? (Can you make changes to the certificate configuration on that server, or make changes to records in the DNS zone?)


#3

Ah - the path restriction makes sense, and I didn’t even notice there was a DNS-based challenge option, which worked perfectly. (Thankfully this host doesn’t manage our DNS as well.) I’ve got the certificates generated now. Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.