On 14/10/16 18:53, Alan Doherty wrote: > btw in http-01 the acme client can specify to the server whether to > use http://www.domain1.com/.well-known/acme-challenge/ or > https://www.domain1.com/.well-known/acme-challenge/ directly > > "The client’s response to this challenge indicates whether it would > prefer for the validation request to be sent over TLS: > > type (required, string): The string “simpleHttp” > tls (optional, boolean, default true): If this attribute is present > and set to “false”, the server will perform its validation check over > unencrypted HTTP (on port 80) rather than over HTTPS. Otherwise the > check will be done over HTTPS, on port 443." > https://letsencrypt.github.io/acme-spec/#rfc.section.7.1
Note that this is referring to the simpleHttp challenge type, which was removed quite some time ago, due to possible domain validation vulnerabilities with common server configurations[1]. The replacement - http-01 - does not support such a "tls" parameter, and validation requests are always performed via HTTP (though a redirect to https:// is still accepted). [1]: https://www.ietf.org/mail-archive/web/acme/current/msg00524.html _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
