.well-known/acme-challenge passed even if my server is not running!


#1

I am doing some development work of some client software, so I use https://acme-staging.api.letsencrypt.org for testing purposes.

I got a fake certificate from your staging server. Perfect. So far, so good.

Then I shut down my server and ran my software again. I got another certificate! It appears to me that your server didn’t bother to challenge my server the second time.

Why should you issue a certificate to a server that is not even running, thus not able to satisfy your challenge?


#2

TL:DR the challenge authenication is “binded” to your account key and that stays valid even after the challenge validation is completed for a period of time. The server realizes this and uses the cached validation.


#3

If you are doing development work you may want to utilise the authorization deactivation option to prevent this behaviour.


#4

This is by design. 


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.