Parliament Hill Computers Ltd
Parliament Hill Computers Ltd
This is a description of how the challenge/response works.
The bot is asking Let's Encrypt to sign a certificate so that the viewer, via their web browser, can be sure that the content came from the machine at the specified URL. The browser can be sure of that since it trusts Let's Encrypt.
To discharge that responsibility Let's Encrypt needs to be sure that the bot that it is speaking to really is associated with your web site.
The bot is challenged by Let's Encrypt to create a web page of arbitrary name and content.
If it can do this then it must be running on the web server.
The location of these web pages will be under /.well-known/acme-challenge/.
This is why some Apache configuration is needed before the certificates are signed — provide a directory that the bot can write to that will be visible via the web server.
Let's Encrypt also allow validation using DNS. If you control the DNS then you can make the web server be anything. I do not use this.
The Let's Encrypt certificate is now hard wired into most browsers. This means that cross signed certificates are no longer needed.
Next page: OpenSSL Certificate families and Let's Encrypt Accounts
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.