I have trouble with http-01 challenge and HTTPS only server.
I don’t understand very well the “vulnerability” of http-01 with HTTPS.
Default vhost is a problem for both HTTP and HTTPS vhosts if misconfigured (fallback to lower precedence vhost in case of no default vhost) and is more a configuration problem/bad admin practice than security one.
Without such TLS option on http-01 challenge, you can’t issue certificate for an HTTPS-only server, because tls-sni-01 challenge asks for certificate switch with a invalid certificate, which is just a no-go for production server (HPKP/TLSA trouble, client-side error during the issuing…).
And it’s a real security problem to have to enable HTTP just for issuance (in fact all the time, you don’t want to have to change on-the-fly your configuration and firewall on production each 60d).
If HTTP is enabled, you have to manage redirection to HTTPS to avoid user confusion, which can lead to information leak (Better to have no TCP socket at all, no information on the wire. If HTTP enable, information on the first request are leaking).
Is there any way to issue certificate with HTTPS only server with current ACME spec or what is the process for asking for tls parameter on http-01 challenge again ?