What happens with a challenge if HSTS is enabled, but wrong/no certificate provided?


while thinking about Let’s Encrypt challenges I came up with the following problem which might happen:

Assume I want to update the TLS certificate which is not valid anymore (forgot to update in time). My web server is configured in a way that it redirects all HTTP traffic to HTTPS and sends a HSTS header. What happens now if I start the LE challenge? Will the LE side try to validate the TLS connection/certificate and will the challenge fail then?

The CA server will happily accept expired, self-signed or otherwise invalid certificates for http-01 challenges. The initial request is HTTP anyway, so it doesn’t really matter if the redirect target is using a proper certificate or not.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.