To support custom acme challenge path ( to workaround github page )

For some reason, the acme challenge path is not overridable via the Github page. ( reported in stackoverflow ). It could be due to the Github page has reserved the specific path for the some cert generation and such but in general, it will be good to support user defined based path ( not domain ) for acme fulfillment.

The feature will definitely improve the flexibility on the cert generation and encourage the usages of free hosting for cert generation such as github page.

Unfortunately, that's not possible for Let's Encrypt to do. Let's Encrypt has to abide to the CA/Browser Forum Baseline Requirements (see section 3.2.2.4.19, "Agreed‑Upon Change to Website ‑ ACME").

There, the BR refers to section 8.3 of the ACME RFC 8555, which essentially hardcodes the /.well-known/acme-challenge/ path.

7 Likes

If a user could define any challenge path they wanted then a website administrator couldn't restrict certificate issuances.

It would break the idea that you have to have complete control or specific authorization over the domain / subdomain to acquire a certificate.

For instance, a university that provides basic webhosting for all students at ~username could be a MITM attack vector, or a way to maliciously exhaust rate limits.

5 Likes

You shouldn't need to self-manage the certificate on Github Pages even with a custom domain in play. You basically just check the box to enable it and they'll take care of the rest.

https://docs.github.com/en/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https

All GitHub Pages sites, including sites that are correctly configured with a custom domain, support HTTPS and HTTPS enforcement.

5 Likes

@rmbolger I need the cert ( with private key ) to perform client auth on mTLS handshake. Was exploring GitHub page for free alternative on cert generation ( usually you will need a public hosted server ) and to apply automation next

Ah, that won't be possible with GitHub pages then as they manage the private key on your behalf (as would most managed static site hosters I'd think). But you don't need a public hosted server to generate a certificate if you have control of the public DNS zone. You can use the dns-01 challenge type.

7 Likes

Yes, I am aware with the options beside the default http-01 challenge. Thanks everyone for the support and at least I now have better understanding on why acme-challenge path is not overwritable from Github page ( underlying it uses Let Encrypts too for custom domain )

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.