Certbot /.well-known/acme-challenge

Question

Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP:

server {
 listen 80;

 location '/.well-known/acme-challenge' {
    root        /var/www/demo;
  }

 location / {
          if ($scheme = http) {
            return 301 https://$server_name$request_uri;
          }
 }

Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?

Any advise or links to read for about the this location appreciated. Thanks!

score 14 · Accepted Answer · answered Jan 23 '17 at 11:22

14

Acme challenge link only needed for verifying domain to this ip address

answered Jan 23 '17 at 11:22

Renjith Thankachan

4,178
1
30
47

1

I've also read that its used for temp files during verification and then deletes them. So I guess its the right answer. Thanks! – Ilya Jan 23 '17 at 12:00
1

Verifying when? Only once to get the certificate? Or is it needed again? If it's only needed to obtain the certificate, then I assume you can safely delete the .well-known directory...? – PJ Brunet Jul 15 '19 at 03:39
2

Yes, you can delete it after getting certificate but you need that folder at renewal time! – Renjith Thankachan Jul 15 '19 at 03:44
1

this answer should be expanded. It is barely a complete sentence, and provides no context, explanation, or links to documentation. – Felipe Feb 21 '23 at 00:55

score 9 · Answer 2 · answered Jun 09 '17 at 22:11

You do not need to keep the token available once your certificate has been signed. However, there is not much harm in leaving it available either, as explained by a Certbot engineer:

The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.

score 0 · Answer 3 · answered Nov 06 '18 at 13:35

In case someone finds this helpful, I just asked my hosting customer support and they explained it as per following...

Yes, “well-known” folder is automatically created by cPanel in order to validate your domain for AutoSSL purposes. AutoSSL is an added feature of cPanel/WHM which offer you free SSL certificate for your domains, its also known as self-signed SSL certificate. The folder .well-known created while the time of the domain validation process as a part of AutoSSL installation

And it is not the file that needs to be removed, It does not cause any issue.

score -10 · Answer 4 · edited Apr 17 '17 at 00:20

-10

The period before the file name (.well-known) means it is a hidden directory. If your server gets hacked the information is available to the hacker.

edited Apr 17 '17 at 00:20

Unheilig

16,196
193
68
98

answered Apr 16 '17 at 23:34

xtreme deals

1

Sorry, I meant hidden directory. – xtreme deals Apr 16 '17 at 23:35
1

You can use https://stackoverflow.com/posts/43443282/edit to edit/update your answer – sideshowbarker Apr 17 '17 at 00:13

Certbot /.well-known/acme-challenge

4 Answers4

Linked