Is the subdomain _acme-challenge protected?
I was looking into the DNS-01 challenge of Let's Encrypt; and I had a question about the sub domain process [1].
Let's say, the website example.com gives away free subdomains; what stops me to request a Let's Encrypt wildcard certificate for *.example.com, by claiming the _acme-challenge.example.com subdomain to process the DNS-01 challenge?
Is there anything in the ACME protocol (or anything else) that stops me from doing this?
[1] = https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
Typically, sites providing free/custom subdomains are providing A
records, whereas the ACME DNS-01 challenge requires adding a TXT
record. This would make what you suggest very unlikely.
If a site allows adding arbitrary TXT
records for subdomains and doesn't reserve the _acme-challenge
, then there's nothing in the protocol that would prevent abusing such a feature, and it would be a vulnerable service. However, that's a use case so uncommon that no-one would exclusively consider that when designing protocols like this.
Luckily, if this happens, Let's Encrypt certificates will expire in three months, and it's also possible to revoke the certificate even without access to its private key, just for cases like this:
If someone issued a certificate after compromising your host or your DNS, you’ll want to revoke that certificate once you regain control. In order to revoke the certificate, Let’s Encrypt will need to ensure that you control the domain names in that certificate (otherwise people could revoke each other’s certificates without permission)! To validate this control, Let’s Encrypt uses the same methods it uses to validate control for issuance: you can put a value in a DNS TXT record or put a file on an HTTP server. - -
Once you’ve validated control of all the domain names in the certificate you want to revoke, you can download the certificate from crt.sh, then proceed to revoke the certificate as if you had issued it:
certbot revoke --cert-path /PATH/TO/downloaded-cert.pem