Should I host my challenges http or https or both?


#1

I’m working with nginx to host several websites. I’m using getssl (bash) acme client to retrieve challenges and write appropriate response files to get certificates from letsencrypt. But it is unclear to me if I should provide these responses using the http or the https protocol, or both?

Can someone point me in the right direction here.

I.e. If I want to retrieve certs for example.com, should I then provide answers via:

http://example.com/.well-known/acme-challenge/*
or (using untrusted ssl certs) via
https://example.com/.well-known/acme-challenge/*


#2

Hi,

Is the http & https version share the same directory and config file? If so, you only need to put the challenges file in the direction once…

Let’s encrypt will connect to port 80 of your web server (which normally represent plain http version) first, then will follow redirection request (to other sites / ports, but not to an IP address)
If the http & https version are different, you must put the challenges file on http, (you may need to put it in https if http will redirect to https)

Also, I think when connecting to your website & find validation token (challenges files), let’s encrypt will not check if the current certificate is trusted or not…

Thank you


#3

I’m currently directing any and all http requests permanently (code 301) to their https equivalence. If Letsencrypt indeed follows http->https redirects and disregards certificate validity for the acme challenge part then I should be able to enable it with minimal changes. Thanks!


#4

This should work on cert renewals but I’m unsure if it will follow for a new cert request.


#5

Renewals and initial issuance aren’t distinguished by the CA (edit: for most purposes!), so the redirect-following behavior is the same in both cases.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.