Validation of an Expired HSTS site with HTTPS redirect, or self-signed site

I’m trying to resolve an issue which can be reproduced in the following situation.

  1. A webserver is configured with HSTS, and the webserver will always redirect to the HTTPS site.
  2. The webserver was configured with self-signed certificates or an expired (Let’s Encrypt) certificate
  3. Webroot domain validation is used for authentication

This discussion on acmetool started here:

In my perspective the validation of a domain name boils down to: can a validation tool reach a webserver located at an AAAA/A-record for the requested domain name. I assume that redirection at the webserver-side to a HTTPS resource is allowed. Please confirm this statement.

If the redirection is allowed we may arrive at a chicken/egg problem. A Lets’s Encrypt certificate may be expired before the renewal process has been done, or the webserver can be started with self signed certificates. To me it sounds as being strict on SSL validation goes beyond checking if the document can be retrieved from the IP address defined by the A/AAAA-record.

Bolder (the CA software) does not check cert validity when following a redirect to https as part of the http-01 challenge.

I think many of your questions / issues are covered in the other thread, which you link to.

I’m not sure what your question is here ?

I don’t see any chicken / egg situation, you can perfectly happily get a certificate in the situation as described.

You can’t get the certificate unless HSTS is disabled for the domain. I am trying to confirm that this requirement is the Let’s Encrypt policy. Since someone else also states that Bolder doesn’t have this requirement, and at the github ticket someone suggested DNS validation, this topic already helps me greatly.

Let’s Encrypt does not follow HSTS - so no it’s not policy or a requirement to “disable” HSTS.

You could use DNS validation, yes - or there is no reason why you can’t use HTTP validation. It looks as if acmeclient ( the client you are using ) does check / require a valid SSL cert - this is not a requirement of Let’s Encrypt.

Since it turns out that boulder doesn’t validate TLS certificates in HTTPS redirects issued from HTTP URL retrievals for validation purposes, I’ve updated acmetool to reflect this. The fix is in v0.0.58.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.