Certbot .well-known security issue
Posted: Mon Jun 25, 2018 5:26 am
I use certbot on default installation of VestaCP on my Ubuntu 16.04 machine. It generate certificate well, but in order to verify domain, it add
This cause my automate security testing to alarm that http://domain/.well-known/acme-challenge/<h1>abc</h1> kind of url are hackable and available in website.
Is there any way I can fix this. like certbot use other method or when certificate is done/renewed it remove this nginx configuration and add again when needed again ?
Code: Select all
location ~ "^/.well-known/acme-challenge/(.*)$" {
default_type text/plain;
return 200 "$1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; }
Is there any way I can fix this. like certbot use other method or when certificate is done/renewed it remove this nginx configuration and add again when needed again ?