i would like to ask how verification file names will look like? Will there be any static prefix or suffix?
We are planing to do verification of every domain and subdomain which our users will create so there’s no need for users to do any verification for themself. Because of this, we would like to redirect all requests for verification to our scripts, which will verify only domains/subdomains which needs to be verified and we know they are going to be verified. If we are able to do this, it will have two positive effects:
- we can better automate certificate installation
- any virus of malware, which successfully attacked the site, WON’T be able to create own certificates (because our scripts simply won’t verify it)
All SimpleHTTP verifications are done with requests to
Note also that it’s fine to use a self-signed certificate or a different domain’s certificate for this.
@azurit, as a result of this you could do something to stop potential malware from creating things under the path
.well-known/acme-challenge – indeed, for other reasons it might be a good idea to restrict serving other things under
.well-known, but you may want to discuss this with your users because some sites might have legitimate reasons to serve other
If you allow users to load their own TLS certs for particular domains, they could also potentially complete our other challenge type, DVSNI, so you may want to consider restricting that in addition to the verification files.