Why does a webroot-path have to be supplied?

macmichael01 · April 15, 2019, 6:24am

Hi I’m curious why a webroot-path (path to your code) is required? I don’t recall a time where I needed to point to a path to my code when purchasing and issuing my own cert. I was just curious why this would be needed.

Here is what the help command says but is not entirely helpful on how its used for auth.
–webroot Place files in a server’s webroot folder for authentication

Thanks in advance Ya’ll!

orangepizza · April 15, 2019, 7:28am

LE looks domain/well-known/acme-challenge/ for challenge file to validate you have control of domain.

JuergenAuer · April 15, 2019, 7:54am

Hi @macmichael01

please read the documentation about the http-01 challenge type.

If you purchase a certificate, typically you get a mail (to hostmaster / webmaster etc.) with a long confirmation link you have to click.

This is your mail challenge. Letsencrypt doesn't use mail challenges.

macmichael01 · April 15, 2019, 8:17am

Thanks for the clarification. I use this declaration in my nginx file and it seems to work fine without supplying a webroot-path.

location /.well-known/acme-challenge/ {
add_header Content-Type text/plain;
return 200 ‘acme-challenge-token’;
}

Is the token that is sent back through the .well-known path a way for me to perform additional validation? And is this a token that is generated during the initial request for a cert?

orangepizza · April 15, 2019, 8:37am

token is randomly generated for each subdomain in token1.token2. IIRC LE looks for /.well-known/acme-challenge/token1
and server should reply with token1.token2

JuergenAuer · April 15, 2019, 8:56am

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> . That file contains the token, plus a thumbprint of your account key. Once your ACME client tells Let’s Encrypt that the file is ready, Let’s Encrypt tries retrieving it (potentially multiple times from multiple vantage points). If our validation checks get the right responses from your web server, the validation is considered successful and you can go on to issue your certificate. If the validation checks fail, you’ll have to try again with a new certificate.

How should that work if your ACME client doesn't know where to save the challenge file?

danb35 · April 15, 2019, 10:21am

The token is generated every time you request a cert--initial request, renewal, etc. It isn't a one-time static token.

system · May 15, 2019, 10:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.