On 14/10/16 18:53, Alan Doherty wrote:
> btw in http-01 the acme client can specify to the server whether to 
> use http://www.domain1.com/.well-known/acme-challenge/ or 
> https://www.domain1.com/.well-known/acme-challenge/ directly
> "The client’s response to this challenge indicates whether it would 
> prefer for the validation request to be sent over TLS:
> type (required, string): The string “simpleHttp”
> tls (optional, boolean, default true): If this attribute is present
> and set to “false”, the server will perform its validation check over
>  unencrypted HTTP (on port 80) rather than over HTTPS. Otherwise the
>  check will be done over HTTPS, on port 443." 
> https://letsencrypt.github.io/acme-spec/#rfc.section.7.1

Note that this is referring to the simpleHttp challenge type, which was
removed quite some time ago, due to possible domain validation
vulnerabilities with common server configurations[1]. The replacement -
http-01 - does not support such a "tls" parameter, and validation
requests are always performed via HTTP (though a redirect to https:// is
still accepted).

[1]: https://www.ietf.org/mail-archive/web/acme/current/msg00524.html

Acme mailing list

Reply via email to