Re: [Acme] Support for domains with redundant but not immediately synchronized servers

Peter Eckersley <pde@eff.org> Fri, 04 December 2015 08:46 UTC

Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E33F1A6F60 for <acme@ietfa.amsl.com>; Fri, 4 Dec 2015 00:46:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnQLZLxQVDJw for <acme@ietfa.amsl.com>; Fri, 4 Dec 2015 00:46:01 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3826E1A6F51 for <acme@ietf.org>; Fri, 4 Dec 2015 00:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=90gcwgqi+W8hgLJ90S6PR2cNmVDoiecbsiv/+CFDk6U=; b=p4MTMl+GRhtMMTogtgeYrPQ1Ecw3XQbcwM0klQtA6b4VF0VyJ6NCJd0W2foK0ezmmBEHCujysNyx5jP8PUwrdxCbd9Z3KP0/WQVdceWhBDv30b5Ukhm5zNFsyQYUhUg+HFGddRr1RlrOSN25oqaRi/XJD/kl1prWap7jXps68gU=;
Received: ; Fri, 04 Dec 2015 00:46:01 -0800
Date: Fri, 4 Dec 2015 00:46:01 -0800
From: Peter Eckersley <pde@eff.org>
To: Jonas Wielicki <jonas@wielicki.name>
Message-ID: <20151204084601.GQ18430@eff.org>
References: <565C84A1.9040102@wielicki.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <565C84A1.9040102@wielicki.name>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/213Cl8wdoQJqFI3fjucq8Y1rcLQ>
Cc: acme@ietf.org
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 08:46:03 -0000

There's a fairly good solution available with the current protocol,
which is to serve a (long lived) redirect from
/.well-known/acme-challenge/ on all of the servers to a different URL
that is always answered by the machine you run an ACME client on.

Are there any cases where that is sufficiently unworkable to warrant a
protocol change?

On Mon, Nov 30, 2015 at 06:17:21PM +0100, Jonas Wielicki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi list,
> 
> I have asked this in the IRC and was pointed to this mailing list. I
> tried to get a certificate for klausurschokola.de via Let’s Encrypt
> during the currently running limited beta (we have the domain
> whitelisted). The name has the following address records:
> 
> 1800 	IN 	A	176.9.101.187
> 1800 	IN 	A 	217.115.12.71
> 
> (in addition, there is one AAAA record for each of the machines
> addressed by the A records)
> 
> As you can see, two different machines are addressed. Those are
> physically separated machines with different main administrators.
> Both are pulling their web content from the same source, but it is not
> supposed to be dynamic, so there is no "fast" (order of seconds) way
> to mirror the content.
> 
> Our wish would be to be able to use different private keys and
> certificates for both hosts, and renew these independently from the
> other host. We thought that this would be possible using Let’s Encrypt.
> 
> The problem is that currently, the Let’s Encrypt server sometimes
> chooses the wrong of the two IPs to ask for the file in
> /.well-known/acme-challenge. Ideally, it would use the IP of the
> requester (of course only after it has verified that the IP is in the
> DNS) or allow the requester to specify a preferred IP.
> 
> For example, on 176.9.101.187:
> 
> # letsencrypt certonly -c ~/schoko.ini -d klausurschokola.de -d
> www.klausurschokola.de
> 
> [… curses …]
> 
> Failed authorization procedure. klausurschokola.de (http-01):
> unauthorized :: The client lacks sufficient authorization :: Invalid
> response from
> http://klausurschokola.de/.well-known/acme-challenge/c5HJrtp8t8JhfNgTXVC
> 8N7OsCrguAWGw-JTIJxCFeIQ
> [217.115.12.71]: 404
> 
> 
> Is such a thing planned? Are there security reasons against doing
> this? Are there security reasons against doing this on a DNSSEC signed
> domain (which klausurschokola.de is)?
> 
> best regards,
> Jonas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCgAGBQJWXIShAAoJEMBiAyWXYliKJ1wP/iGVeGRxnAkrAstfjeGLvLeC
> TXnF76X/8xC3s4dd/UR0DE2n9Pdn0FYCK+6jRTn+Xpa0MvrA2ME20AZMh070Ghy0
> JRbdTWqjQTHzvjXYQHjSkW24pyZNgdfnmwd0HiAhn1mANv3dhVTnHR4hibZww+Su
> ty3XzsyZYjrfQ3K5/bTb/jz+QZUoZ/fJJuNlyMsVInF3rzagj34WWR4sYbAIwKEF
> CTvBFxINY04pUeemYlywPYrUOmcJTOK/wVi1ya2BgLgTqNJP5FJOX5jCHHr8m5ej
> A7G/nGWFSybOG1GkjMOdST3uMeL7HlpqhUnuNzsiC3ZAfmgVwceLsG3bTCAxcrgB
> 7XiSs3MrURuEk17w2QB0Oyt487DrmftzFo3vzvCrrl42au9JV69Y14/0W3z5piYM
> DIGpd/KNSL2m6xvzoJHoi+o5lTl9GiP6KQKlJiIUtn2cz8Ro6CiwXkhD0FmG8sP7
> 4wqg+vnpcTdhrzsWuAPrpGej+GT1LlWOLERnyPOfVhQ8EUPanwgUbGo1uTfHB2mj
> T2CdCCZhcmJFurvz+7FVI1WaVgGR/rdZbu4ueC+0YNZEOICXE0pIJEw8rKWJbqe3
> lKchgpR6jR3TKHHwNFDIZj049TBiEGxMXsdEaGlLOHdnr4ZlIDgfycumhYVTNJUi
> IDHRifjFUchCynluOhZi
> =3akD
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

-- 
Peter Eckersley                            pde@eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993