.well-known/acme-challenge passed even if my server is not running!

I am doing some development work of some client software, so I use https://acme-staging.api.letsencrypt.org for testing purposes.

I got a fake certificate from your staging server. Perfect. So far, so good.

Then I shut down my server and ran my software again. I got another certificate! It appears to me that your server didn’t bother to challenge my server the second time.

Why should you issue a certificate to a server that is not even running, thus not able to satisfy your challenge?

TL:DR the challenge authenication is “binded” to your account key and that stays valid even after the challenge validation is completed for a period of time. The server realizes this and uses the cached validation.

1 Like

If you are doing development work you may want to utilise the authorization deactivation option to prevent this behaviour.


This is by design. 

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.