A user of my Apache ACME client asked about a feature where the security implications are not clear to me:
- he has several server instances that may receive the CA's http-01 challenge request. He therefore would like all servers to answer to all challenges like the solution proposed by acme.sh: <https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode> server { .... location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ { default_type text/plain; return 200 "$1.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd"; } which sends the thumbnail back to anyone asking. Is this an example to follow? It feels very open... Thanks, Stefan _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
