Certbot /.well-known/acme-challenge
Certbot /.well-known/acme-challenge
我应该让 /.well-known/acme-challenge 始终暴露在服务器上吗?
这是我的 HTTP 配置:
server {
listen 80;
location '/.well-known/acme-challenge' {
root /var/www/demo;
}
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
这基本上将所有请求重定向到 https,除了 acme-challenge(用于自动更新)。我的问题:将位置 '/.well-known/acme-challenge' 始终暴露在端口 80 上可以吗?或者最好手动 comment/uncomment 它,什么时候需要重新颁发证书?这有什么安全问题吗?
任何有关此位置的建议或阅读链接都表示赞赏。谢谢!
Acme 挑战 link 只需要验证域到此 IP 地址
文件名前的句号(.well-known)表示是隐藏目录。如果您的服务器遭到黑客攻击,则黑客可以获取该信息。
证书签署后,您无需再保留令牌。但是,保留它也没有太大害处,因为 explained by a Certbot engineer:
The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.
如果有人觉得这有帮助,我只是询问了我的托管客户支持,他们按照以下解释...
Yes, “well-known” folder is automatically created by cPanel in order
to validate your domain for AutoSSL purposes. AutoSSL is an added
feature of cPanel/WHM which offer you free SSL certificate for your
domains, its also known as self-signed SSL certificate. The folder
.well-known created while the time of the domain validation process as
a part of AutoSSL installation
And it is not the file that needs to be removed, It does not cause any
issue.
我应该让 /.well-known/acme-challenge 始终暴露在服务器上吗? 这是我的 HTTP 配置:
server {
listen 80;
location '/.well-known/acme-challenge' {
root /var/www/demo;
}
location / {
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}
这基本上将所有请求重定向到 https,除了 acme-challenge(用于自动更新)。我的问题:将位置 '/.well-known/acme-challenge' 始终暴露在端口 80 上可以吗?或者最好手动 comment/uncomment 它,什么时候需要重新颁发证书?这有什么安全问题吗?
任何有关此位置的建议或阅读链接都表示赞赏。谢谢!
Acme 挑战 link 只需要验证域到此 IP 地址
文件名前的句号(.well-known)表示是隐藏目录。如果您的服务器遭到黑客攻击,则黑客可以获取该信息。
证书签署后,您无需再保留令牌。但是,保留它也没有太大害处,因为 explained by a Certbot engineer:
The token is part of a particular challenge which is no longer active, from the ACME server's point of view, after the server has tried to validate it. It would reveal a little bit of information about how you get certificates, but should not allow someone else to issue certificates for your site or impersonate you.
如果有人觉得这有帮助,我只是询问了我的托管客户支持,他们按照以下解释...
Yes, “well-known” folder is automatically created by cPanel in order to validate your domain for AutoSSL purposes. AutoSSL is an added feature of cPanel/WHM which offer you free SSL certificate for your domains, its also known as self-signed SSL certificate. The folder .well-known created while the time of the domain validation process as a part of AutoSSL installation
And it is not the file that needs to be removed, It does not cause any issue.