.well-known/acme-challenge passed even if my server is not running!

DevelopDaily · October 30, 2016, 1:14am

I am doing some development work of some client software, so I use https://acme-staging.api.letsencrypt.org for testing purposes.

I got a fake certificate from your staging server. Perfect. So far, so good.

Then I shut down my server and ran my software again. I got another certificate! It appears to me that your server didn’t bother to challenge my server the second time.

Why should you issue a certificate to a server that is not even running, thus not able to satisfy your challenge?

jtl · October 30, 2016, 1:32am

TL:DR the challenge authenication is “binded” to your account key and that stays valid even after the challenge validation is completed for a period of time. The server realizes this and uses the cached validation.

serverco · October 30, 2016, 7:25am

If you are doing development work you may want to utilise the authorization deactivation option to prevent this behaviour.

Osiris · October 30, 2016, 4:46pm

This is by design.

system · November 29, 2016, 4:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.