1. Letsencrypt/challenge-types/HTTP-01

について、ここに記述してください。

HTTP-01 challenge : 特定のHTMLファイルを作成できるかを検査する。

This is the most common challenge type today.

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file
on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. 

That file contains the token, plus a thumbprint of your account key.
Once your ACME client tells Let’s Encrypt that the file is ready, 
Let’s Encrypt tries retrieving it (potentially multiple times from multiple vantage points). 

If our validation checks get the right responses from your web server,
the validation is considered successful and you can go on to issue your certificate.
If the validation checks fail, you’ll have to try again with a new certificate.

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80.

Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

Pros:

    It’s easy to automate without extra knowledge about a domain’s configuration.
    It allows hosting providers to issue certificates for domains CNAMEd to them.
    It works with off-the-shelf web servers.

Cons:

    It doesn’t work if your ISP blocks port 80 (this is rare, but some residential ISPs do this).
    Let’s Encrypt doesn’t let you use this challenge to issue wildcard certificates.
    If you have multiple web servers, you have to make sure the file is available on all of them.

MoinQ: Letsencrypt/ACME/challenge-types/HTTP-01 (last edited 2021-11-17 22:28:33 by ToshinoriMaeno)