How Let's Encrypt verify domain for which user try generate ssl certificate. I've read that many spamming sites get LE certs (how to be sure that some kind of website is clean - not spamming, not hacking, not phishing etc). So conclusion is that LE is not veryfing for which type of site gives certificate. Does anybody know?
Letsencrypt provides DV SSL certs only. You'll have to prove that you control the webspace for the domain by providing a given file at a requested location or that you are in control of the the DNS info by adding a given TXT records to the domain zone file.
File with requested ssl cert and location in which is he saved? What should be written in given TXT record?
Basically it works like this: You: Dear LE Server, please give me a ssl cert for domain.tld LE: Sure you can have one. Put a file with name xxxxx in your .well-known folder. You: Dear LE Server, the file is there. Please go and check. LE: *checks if the challenge file is at the given location* LE: Great, we have checked and you have control over the domain. Here are your certs. Or with DNS challenge: You: Dear LE Server, please give me a ssl cert for domain.tld. I prefer to use the DNS method. LE: Sure you can have one. Add this TXT record "xxxx" do your domain's DNS zone. You: Dear LE Server, I have added that TXT record to my dns zone and you can go check LE: *pulls current dns zone info for domain.tld from the primary dns server and checks if the TXT record is there* LE: Great, we have checked and you have control over the dns for domain.tld. Here are your certs.
I like simple answers. This file is automatically put there during cert-bot installation process? Btw this verification is more less like this: LE: Are you domain owner? User: Yes, I am. LE: Great, grab the cert. But it looks like that LE gives cert for anybody who want it, and not check that the website is spamming, phishing etc.
this is what the acme protocol and the LE clients do. It's an automated way to check of the person who makes the request has power over the domain. There's currently two challenges which can show that: 1. Put a given file into the web accessible space. So the LE servers can check if you actually can alter the website 2. Put a given txt record into the DNS. So the LE servers can check if you can alter the DNS (if you can alter the DNS you can point the domain to an IP where you have a server that you run). Why should LE check for spamming, phishing etc? A SSL cert will just established a secured connection between you and a domain on the internet. That's all SSL does.