How To Self Host HTTP Challenges

Intro
Windows Only Prerequisites

Intro

Posh-ACME 3.6.0 introduced a new function called Invoke-HttpChallengeListener which is a super convenient way to self-host HTTP challenge data just long enough to satisfy an order's authorizations. Under the hood, it uses .NET's System.Net.HttpListener, so it won't touch any other web server configuration you have running. There are some prerequisites you have to take care of on Windows if you're not running PowerShell as an administrator and some other considerations for any OS. This article will explain all those and go through some examples using the function.

Windows Only Prerequisites

When running on Windows, the HttpListener class depends on a kernel mode web server called http.sys. Because it's a system-level service, non-administrator users can't use it without an explicit URL reservation that gives them permission. Open up an elevated PowerShell session and run the following to see the current list of URL reservations.

&netsh.exe http show urlacl

Modern Windows versions will have a bunch of these even in a default install for various system components and services. We need to add one that matches what Invoke-HttpChallengeListener will be trying to use. By default, it will use http://+:80/.well-known/acme-challenge/. The easiest thing to do is create the reservation and give permissions to "Everyone". But it's perfectly reasonable to only grant permissions to the user or group who will need it as well. Just adjust the command line appropriately with target user/group.

&netsh.exe http add urlacl url=http://+:80/.well-known/acme-challenge/ user=Everyone

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How To Self Host HTTP Challenges

How To Self Host HTTP Challenges

Intro

Windows Only Prerequisites

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally