.well-known/acme-challenge
The acme-challenge is a directory used within the HTTP protocol to facilitate the validation process for Automatic Certificate Management Environment (ACME) protocol, which is used by Let's Encrypt and other Certificate Authorities (CAs) to automate the process of obtaining and managing TLS/SSL certificates.
Context and Purpose
The acme-challenge directory is part of the HTTP server's web root, where a server administrator can place challenge files to prove domain ownership during the certificate issuance process. Here's how it works:
- The ACME protocol requires the server to demonstrate control over the domain for which a certificate is being requested.
- When a certificate is requested, the CA issues a challenge, typically in the form of a unique token or file, which must be made available at a specific URL.
- The URL for this challenge is
/.well-known/acme-challenge, a standardized location where the validation token should be placed.
- The CA then checks this URL to verify the presence of the token, thereby confirming that the requester has control over the domain.
History
The concept of using well-known URIs was introduced with RFC 5785, published in March 2010, which defines a path prefix for "well-known locations" in the Uniform Resource Identifier (URI) space. This standardizes locations where resources like security information can be found. Specifically for ACME:
- The acme-challenge directory was formalized with the introduction of the ACME protocol in RFC 8555 in April 2019. This RFC outlines the use of
/.well-known/acme-challenge for domain validation.
- Let's Encrypt, which started issuing certificates in 2016, was one of the first to widely use this directory for domain validation, promoting the automation of TLS/SSL certificate management.
Implementation Details
- The acme-challenge directory must be accessible via HTTP on port 80 (or HTTPS on port 443 if the challenge is for an HTTPS server).
- It should not be protected by authentication mechanisms or return any redirects, as the CA must access it directly.
- Web servers need to be configured to serve files from this directory or redirect requests to it from other locations.
Security Considerations
- Access to
/.well-known/acme-challenge should be restricted to prevent unauthorized access to the validation tokens, which could be used maliciously.
- Ensuring that the directory is only used for ACME challenges and not for other purposes helps maintain security and prevent potential vulnerabilities.
External Links
Related Topics