Can I allow the index listing of the well known acme-challenge directory without compromising on the security?
Is it a threat to me if I allow the index listing of the acme-challenge directory? I went through some and understood that well-known/acme-challenge/ or /. well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory.
Exposing your ACME-challenges is not a security concern. These unique tokens are given to you to aid automatic domain ownership verification. They should be unique in path and content. Since your site has no certificate when the challenge phase happens your tokens are exposed via a plaintext HTTP connection anyway. The tokens are not secret, they just have to be sufficiently random to prevent anyone from obtaining certificates for domains one has no control over. If they were not so, one might be able to find a file on the server that matches the challenge and receive certificates for domains he does not own. If my acme-challenge tokens have been visible in this manner, are my SSL certs compromised? They are definitely not. Certificate issuance is a completely separate process. Once the domain ownership is verified the ACME challenges are not used.