1

I understand the initial challenge-response pattern when using Let's Encrypt, but I noticed that when testing renewals, no GET requests were hitting .well-known/acme-challenge.

Once the domain/account keys are setup, does renewal ever have to touch .well-known? Can my account/domain keys ever expire and have to be refreshed?

My app requires specific mounts to serve that directory and if possible I would like to avoid the configuration overhead if it won't ever be used anyway. I can use a slimmer setup for the initial domain verification.

d.c.
  • 267
markson edwardson
  • 199

1 Answers1

1

The renew process does use /.well-known/ directory. At least at my case I have multiple different IPs making GET /.well-known/acme-challenge/* during renewal.

But it is not used afterwards - between renewals, so it would be enough to prepare it just before your renewal scripts runs.

We do it the other way round: /.well-known/ URI location is aliased to a system management directory outside the web document root. The alias is switched on via our custom acme-renewal script.

d.c.
  • 267