What happens with a challenge if HSTS is enabled, but wrong/no certificate provided?

qbi · April 26, 2016, 11:52am

Hi,

while thinking about Let’s Encrypt challenges I came up with the following problem which might happen:

Assume I want to update the TLS certificate which is not valid anymore (forgot to update in time). My web server is configured in a way that it redirects all HTTP traffic to HTTPS and sends a HSTS header. What happens now if I start the LE challenge? Will the LE side try to validate the TLS connection/certificate and will the challenge fail then?

pfg · April 26, 2016, 12:15pm

The CA server will happily accept expired, self-signed or otherwise invalid certificates for http-01 challenges. The initial request is HTTP anyway, so it doesn’t really matter if the redirect target is using a proper certificate or not.

system · May 26, 2016, 12:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt http challenge uses HSTS - and it shouldn't Help	8	226	March 29, 2025
HTTP Strict Transport Security with http-01 challenge Client dev	3	2171	August 27, 2016
Question regarding self signed certificate and http-01 challenge Help	4	1065	November 10, 2018
HSTS and Let's Encrypt Server	8	11644	August 23, 2017
Https challenge for certificate renewal Issuance Tech	5	3724	March 6, 2016

What happens with a challenge if HSTS is enabled, but wrong/no certificate provided?

Related topics