Certbot /.well-known/acme-challenge

22
votes

Should I leave the /.well-known/acme-challenge always exposed on the server? Here is my config for the HTTP: 

server {
 listen 80;

 location '/.well-known/acme-challenge' {
    root        /var/www/demo;
  }

 location / {
          if ($scheme = http) {
            return 301 https://$server_name$request_uri;
          }
 }

Which basically redirects all the requests to https, except for the acme-challenge (for auto renewal). My question: Is it alright to keep location '/.well-known/acme-challenge' always exposed on port 80? Or better to comment/uncomment it manually, when need to reissue the certificate? Are there any security issues with that?

Any advise or links to read for about the this location appreciated. Thanks!

4
nginxlets-encryptcertbot

4 Answers

11
votes

Acme challenge link only needed for verifying domain to this ip address

8
votes

You do not need to keep the token available once your certificate has been signed. However, there is not much harm in leaving it available either, as explained by a Certbot engineer:

The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.

1
votes

In case someone finds this helpful, I just asked my hosting customer support and they explained it as per following...

Yes, “well-known” folder is automatically created by cPanel in order to validate your domain for AutoSSL purposes. AutoSSL is an added feature of cPanel/WHM which offer you free SSL certificate for your domains, its also known as self-signed SSL certificate. The folder .well-known created while the time of the domain validation process as a part of AutoSSL installation

And it is not the file that needs to be removed, It does not cause any issue.

-7
votes

The period before the file name (.well-known) means it is a hidden directory. If your server gets hacked the information is available to the hacker.