Re: [Acme] Support for domains with redundant but not immediately synchronized servers

["Manger, James" <James.H.Manger@team.telstra.com>]

>> Ideally, it [Let's Encrypt] would use the IP of the 
>> requester (of course only after it has verified that the IP is in the
>> DNS) or allow the requester to specify a preferred IP.

This is quite a sensible feature request from Jonas. It supports multiple servers for a domain while encouraging keys that are tied to a single piece of hardware, without adding extra coordination requirements. It doesn't feel too onerous for CAs to implement.

> There's a fairly good solution available with the current protocol, which is to serve a (long lived) redirect from /.well-known/acme-challenge/ on all of the servers to a different URL that is always answered by the machine you run an ACME client on.

This redirect-based workaround feels far from ideal. It assumes 1 server does all the ACME bits, which discourages per-hardware keys. It requires more coordination between servers (1 is different; others need its IP; need some extra mechanism to distribute key+cert once issued). Section 9.2 "Integrity of Authorizations" [draft-ietf-acme-acme-01] warns that an ACME CA following redirects can be risky as a web site might have a catch-all redirect rule. Even worse, the spec hints that CAs might not (or must not?) follow redirects at all due to the risk when it says: "suppose an ACME server follows HTTP redirects in Simple HTTP validation…".

App-level redirects might be necessary to cope with some load balancing schemes, but specifying that an ACME server must prefer the requester's IP or a specified IP from the A/AAAA records DNS returns would still be useful.

--
James Manger


-----Original Message-----
From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Ryan Pendleton
Sent: Friday, 4 December 2015 8:53 PM

Personally, I think that's a more appropriate approach.

Even if a protocol change was made that allowed an ACME client to pin the challenge to a certain IP address, the requested IP may not always be returned by the authoritative DNS server. Any type of latency, geo or weighted routing algorithm could potentially get in the way.


-----Original Message-----
From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Peter Eckersley
Sent: Friday, 4 December 2015 7:46 PM
To: Jonas Wielicki <jonas@wielicki.name>
Cc: acme@ietf.org
Subject: Re: [Acme] Support for domains with redundant but not immediately synchronized servers

There's a fairly good solution available with the current protocol, which is to serve a (long lived) redirect from /.well-known/acme-challenge/ on all of the servers to a different URL that is always answered by the machine you run an ACME client on.

Are there any cases where that is sufficiently unworkable to warrant a protocol change?


-----Original Message-----
From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Jacob Hoffman-Andrews
Sent: Friday, 4 December 2015 10:27 AM

I think there are a few possible approaches to domain validation for hostnames that resolve to multiple IP addresses:

1) It is sufficient to deploy a challenge response on any IP address.
2) The challenge response must be deployed on all IP addresses.
3) The server tries one deterministic IP address and succeeds or fails based on whether the challenge is deployed there.

Let's Encrypt currently does (3), but it's probably the worst of both worlds and we should fix it.

Arguably (2) is the most secure, since a single-machine compromise isn't sufficient to issue a certificate.

And (1) is the easiest and most user-friendly. I think it's also similar to existing practice in the wild.

Jonas, security-wise your proposal is equivalent to (1). Rather than adding a preferred IP address to the spec, why not specif that ACME servers SHOULD implement (1)? Alternately we could state in the spec that the choice of IP is a policy choice of the CA, and lay out the two most reasonable options (1 and 2).

On Mon, Nov 30, 2015 at 06:17:21PM +0100, Jonas Wielicki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi list,
> 
> I have asked this in the IRC and was pointed to this mailing list. I 
> tried to get a certificate for klausurschokola.de via Let’s Encrypt 
> during the currently running limited beta (we have the domain 
> whitelisted). The name has the following address records:
> 
> 1800 	IN 	A	176.9.101.187
> 1800 	IN 	A 	217.115.12.71
> 
> (in addition, there is one AAAA record for each of the machines 
> addressed by the A records)
> 
> As you can see, two different machines are addressed. Those are 
> physically separated machines with different main administrators.
> Both are pulling their web content from the same source, but it is not 
> supposed to be dynamic, so there is no "fast" (order of seconds) way 
> to mirror the content.
> 
> Our wish would be to be able to use different private keys and 
> certificates for both hosts, and renew these independently from the 
> other host. We thought that this would be possible using Let’s Encrypt.
> 
> The problem is that currently, the Let’s Encrypt server sometimes 
> chooses the wrong of the two IPs to ask for the file in 
> /.well-known/acme-challenge. Ideally, it would use the IP of the 
> requester (of course only after it has verified that the IP is in the
> DNS) or allow the requester to specify a preferred IP.
> 
> For example, on 176.9.101.187:
> 
> # letsencrypt certonly -c ~/schoko.ini -d klausurschokola.de -d 
> www.klausurschokola.de
> 
> [… curses …]
> 
> Failed authorization procedure. klausurschokola.de (http-01):
> unauthorized :: The client lacks sufficient authorization :: Invalid 
> response from 
> http://klausurschokola.de/.well-known/acme-challenge/c5HJrtp8t8JhfNgTX
> VC
> 8N7OsCrguAWGw-JTIJxCFeIQ
> [217.115.12.71]: 404
> 
> 
> Is such a thing planned? Are there security reasons against doing 
> this? Are there security reasons against doing this on a DNSSEC signed 
> domain (which klausurschokola.de is)?
> 
> best regards,
> Jonas