RFC 8555, "Automatic Certificate Management Environment (ACME)", March 2019

Errata ID: 6843
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: James Kasten
Date Reported: 2022-02-08

Section 8.3 says:

Because many web servers
allocate a default HTTPS virtual host to a particular low-privilege
tenant user in a subtle and non-intuitive manner, the challenge must
be completed over HTTP, not HTTPS.

It should say:

Because many web servers
allocate a default HTTPS virtual host to a particular low-privilege
tenant user in a subtle and non-intuitive manner, the challenge must
be initiated over HTTP, not HTTPS.

Notes:

Completing the entire http-01 challenge over HTTP is unnecessary. The threat of default HTTPS virtual hosts is remediated by "initiating" the http-01 challenge over HTTP. Validation servers which redirect from HTTP to HTTPS should be permitted following the rest of the guidance within Section 10, Security Considerations.

Report New Errata