Re: [Acme] Support for domains with redundant but not immediately synchronized servers
Peter Eckersley <pde@eff.org> Fri, 04 December 2015 08:46 UTC
Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E33F1A6F60 for <acme@ietfa.amsl.com>; Fri, 4 Dec 2015 00:46:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnQLZLxQVDJw for <acme@ietfa.amsl.com>; Fri, 4 Dec 2015 00:46:01 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3826E1A6F51 for <acme@ietf.org>; Fri, 4 Dec 2015 00:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=90gcwgqi+W8hgLJ90S6PR2cNmVDoiecbsiv/+CFDk6U=; b=p4MTMl+GRhtMMTogtgeYrPQ1Ecw3XQbcwM0klQtA6b4VF0VyJ6NCJd0W2foK0ezmmBEHCujysNyx5jP8PUwrdxCbd9Z3KP0/WQVdceWhBDv30b5Ukhm5zNFsyQYUhUg+HFGddRr1RlrOSN25oqaRi/XJD/kl1prWap7jXps68gU=;
Received: ; Fri, 04 Dec 2015 00:46:01 -0800
Date: Fri, 04 Dec 2015 00:46:01 -0800
From: Peter Eckersley <pde@eff.org>
To: Jonas Wielicki <jonas@wielicki.name>
Message-ID: <20151204084601.GQ18430@eff.org>
References: <565C84A1.9040102@wielicki.name>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <565C84A1.9040102@wielicki.name>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/213Cl8wdoQJqFI3fjucq8Y1rcLQ>
Cc: acme@ietf.org
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 08:46:03 -0000
There's a fairly good solution available with the current protocol, which is to serve a (long lived) redirect from /.well-known/acme-challenge/ on all of the servers to a different URL that is always answered by the machine you run an ACME client on. Are there any cases where that is sufficiently unworkable to warrant a protocol change? On Mon, Nov 30, 2015 at 06:17:21PM +0100, Jonas Wielicki wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi list, > > I have asked this in the IRC and was pointed to this mailing list. I > tried to get a certificate for klausurschokola.de via Let’s Encrypt > during the currently running limited beta (we have the domain > whitelisted). The name has the following address records: > > 1800 IN A 176.9.101.187 > 1800 IN A 217.115.12.71 > > (in addition, there is one AAAA record for each of the machines > addressed by the A records) > > As you can see, two different machines are addressed. Those are > physically separated machines with different main administrators. > Both are pulling their web content from the same source, but it is not > supposed to be dynamic, so there is no "fast" (order of seconds) way > to mirror the content. > > Our wish would be to be able to use different private keys and > certificates for both hosts, and renew these independently from the > other host. We thought that this would be possible using Let’s Encrypt. > > The problem is that currently, the Let’s Encrypt server sometimes > chooses the wrong of the two IPs to ask for the file in > /.well-known/acme-challenge. Ideally, it would use the IP of the > requester (of course only after it has verified that the IP is in the > DNS) or allow the requester to specify a preferred IP. > > For example, on 176.9.101.187: > > # letsencrypt certonly -c ~/schoko.ini -d klausurschokola.de -d > www.klausurschokola.de > > [… curses …] > > Failed authorization procedure. klausurschokola.de (http-01): > unauthorized :: The client lacks sufficient authorization :: Invalid > response from > http://klausurschokola.de/.well-known/acme-challenge/c5HJrtp8t8JhfNgTXVC > 8N7OsCrguAWGw-JTIJxCFeIQ > [217.115.12.71]: 404 > > > Is such a thing planned? Are there security reasons against doing > this? Are there security reasons against doing this on a DNSSEC signed > domain (which klausurschokola.de is)? > > best regards, > Jonas > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCgAGBQJWXIShAAoJEMBiAyWXYliKJ1wP/iGVeGRxnAkrAstfjeGLvLeC > TXnF76X/8xC3s4dd/UR0DE2n9Pdn0FYCK+6jRTn+Xpa0MvrA2ME20AZMh070Ghy0 > JRbdTWqjQTHzvjXYQHjSkW24pyZNgdfnmwd0HiAhn1mANv3dhVTnHR4hibZww+Su > ty3XzsyZYjrfQ3K5/bTb/jz+QZUoZ/fJJuNlyMsVInF3rzagj34WWR4sYbAIwKEF > CTvBFxINY04pUeemYlywPYrUOmcJTOK/wVi1ya2BgLgTqNJP5FJOX5jCHHr8m5ej > A7G/nGWFSybOG1GkjMOdST3uMeL7HlpqhUnuNzsiC3ZAfmgVwceLsG3bTCAxcrgB > 7XiSs3MrURuEk17w2QB0Oyt487DrmftzFo3vzvCrrl42au9JV69Y14/0W3z5piYM > DIGpd/KNSL2m6xvzoJHoi+o5lTl9GiP6KQKlJiIUtn2cz8Ro6CiwXkhD0FmG8sP7 > 4wqg+vnpcTdhrzsWuAPrpGej+GT1LlWOLERnyPOfVhQ8EUPanwgUbGo1uTfHB2mj > T2CdCCZhcmJFurvz+7FVI1WaVgGR/rdZbu4ueC+0YNZEOICXE0pIJEw8rKWJbqe3 > lKchgpR6jR3TKHHwNFDIZj049TBiEGxMXsdEaGlLOHdnr4ZlIDgfycumhYVTNJUi > IDHRifjFUchCynluOhZi > =3akD > -----END PGP SIGNATURE----- > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme -- Peter Eckersley pde@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
- [Acme] Support for domains with redundant but not… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Hugo Landau
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Salz, Rich
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Martin Thomson
- Re: [Acme] Support for domains with redundant but… Peter Eckersley
- Re: [Acme] Support for domains with redundant but… Ryan Pendleton
- Re: [Acme] Support for domains with redundant but… Yoav Nir
- Re: [Acme] Support for domains with redundant but… Ted Hardie
- Re: [Acme] Support for domains with redundant but… Manger, James
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Salz, Rich
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Jonas Wielicki
- Re: [Acme] Support for domains with redundant but… Michael Wyraz
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews
- Re: [Acme] Support for domains with redundant but… Jacob Hoffman-Andrews