LetsEncrypt / ACME protocol - verification string may cause Zope BadRequest error

I tried to raise the following issue on Github:

EFF's certbot, a tool for issuing LetsEncrypt SSL certificates, may generate verification strings / file names which start with an underscore. This causes a Zope BadRequest error.

The Github issue was closed by the certbot people, pointing to the following: their tool follows the ACME profocol, an Automatic Certificate Management Environment which may become an IETF standard.

I'm hoping someone here (Zope Foundation Board?) can pick up the ball and make a point with the IETF people to fix their may-be standard?


this has nothing to do with Zope/Plone neither.

just create an alias to a file in your nginx configuration:

location /.well-known/acme-challenge/_0mEhMs-cOSAHjZ797i_3FNJpcTY_h8jvfOYtR0HfXo {
    alias /usr/share/nginx/html/foo;
1 Like

Cheers, well aware that the verification file could also be stored on the filesystem and returned by the front-end server. That's not the point.

They are right: not accepting id's starting with an "_" is a Zope issue.

In the Python world, names starting with a single "" are considered (more or less) private. Zope enforces this convention by prohibiting (web request) traversal via url steps starting with "" and correspondingly prevents the use of ids starting with "_".

In the Plone world, the ids are usually automatically derived from the object title. You might use such a logic (and part of its implementation) to derive valid ids from the LetsEncrypt ids.

the point is: why do you want to create a file that has nothing to do with your CMS inside your CMS?

I guess you're handling the SSL end point on nginx, right?

I follow Dieter's reasoning "it's a Zope issue."

As Hector states, there are alternatives - store on file system, let frontend serve it. And yes, Apache config in my case contains the SSL directives.

Points taken...

taken into account that the "/.well-known/" URIs are something relatively "new" (defined in RFC 5785, in 2010, but mostly unused until a couple of years ago), I think you're right and we may have an issue here if other well-known URIs also use filename starting with an underscore.

anyway, in your specific use case I still think that file must not be locate inside Zope or Plone, as the SSL end point is in your Apache web server as you mentioned.