Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Certbot .well-known security issue

https://forum.vestacp.com/viewtopic.php?f=10&t=17176

Page 1 of 1

Certbot .well-known security issue

Posted: Mon Jun 25, 2018 5:26 am
by archergod
I use certbot on default installation of VestaCP on my Ubuntu 16.04 machine. It generate certificate well, but in order to verify domain, it add

Code: Select all

location ~ "^/.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; }
This cause my automate security testing to alarm that http://domain/.well-known/acme-challenge/<h1>abc</h1> kind of url are hackable and available in website.

Is there any way I can fix this. like certbot use other method or when certificate is done/renewed it remove this nginx configuration and add again when needed again ?

Re: Certbot .well-known security issue

Posted: Mon Jun 25, 2018 11:16 am
by ScIT
Why you use certbot? VestaCP provides a internal let's encrypt engine.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/