Re: [Acme] Want client-defined callback port

Jacob Hoffman-Andrews <jsha@eff.org> Thu, 16 April 2015 22:09 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1DE1B3793 for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 15:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0VrzidZrA2p for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 15:09:33 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD3731B3797 for <acme@ietf.org>; Thu, 16 Apr 2015 15:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=WfbIkbnk3d4zR71FgD01kPBGXnWHSEM/KVpZmPioRUU=; b=4gvKCWuBH8KRfiBzNdAtwkRfRsvuhgG572reEmyXYMimm8bjuJHkUXMDLrXwS+JuXOsmIOYH8mqReoKfB5pGbXwQXACh8MVk6IPPdobtIZ6j3YgxOYYc0bQx5IPuHWi8nI9RvZ1yTAAkGeH89vqWzrwwF7tU0KJ0hzdZNYkhVVs=;
Received: ; Thu, 16 Apr 2015 15:09:33 -0700
Message-ID: <55303319.1030707@eff.org>
Date: Thu, 16 Apr 2015 18:09:29 -0400
From: Jacob Hoffman-Andrews <jsha@eff.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Bruce Gaya <gaya@apple.com>, acme@ietf.org
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com>
In-Reply-To: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0D9dS1iDEGlvgJJdAs20mkt6aYw>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 22:09:35 -0000

On 04/15/2015 11:04 PM, Bruce Gaya wrote:
> I want to use an ACME client to get a new certificate without taking down my existing web services that are using a port 443 (with a self-signed certificate or a certificate issued by another CA).
Right now the Simple HTTP and DVSNI challenges are designed specifically
to work well with a running server. For the DVSNI challenge type, the
web server must support config reloads without downtime in order to make
the test cert available under a special SNI name. Can you tell us more
about why these approaches won't work for you?

Thanks,
Jacob