[Acme] Support for domains with redundant but not immediately synchronized servers

Jonas Wielicki <jonas@wielicki.name> Mon, 30 November 2015 17:17 UTC

Return-Path: <jonas@wielicki.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2838D1B29CA for <acme@ietfa.amsl.com>; Mon, 30 Nov 2015 09:17:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.699
X-Spam-Level:
X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8BrNLdqcmtwk for <acme@ietfa.amsl.com>; Mon, 30 Nov 2015 09:17:29 -0800 (PST)
Received: from sol.sotecware.net (sol.sotecware.net [IPv6:2a01:4f8:d16:5380::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFB751B29B3 for <acme@ietf.org>; Mon, 30 Nov 2015 09:17:27 -0800 (PST)
Received: from altair.sotecware.net (xd9bda3ec.dyn.telefonica.de [217.189.163.236]) by sol.sotecware.net (Postfix) with ESMTPSA id BBBC92006CA for <acme@ietf.org>; Mon, 30 Nov 2015 17:17:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wielicki.name; s=k001.sol; t=1448903844; bh=9i5zk2hx9cp3AIPOIHA0oE9OoJ0b0hl2xqM2cyPy6w8=; h=To:From:Subject:Date; b=n+6NYYzaZGLpURVsjRkw1XtTCKRRpTMvXIQB89SzeodCtGVIPoqzJ3Wm8Asgv5oKX ebm7p/zwsCiOLOYyPISvooZf1gkbzeEC1Lz3Cqw3nIhGXiqYy6TqLx26zWlIx+0POA q4JpJnUyZlz4wDNeXPf+SekdQNpy6qI8pUgPH3O2ugF3XhZgKXHPlSxuAM2b0qVUAB icNu/9r+DLfy0auIP9+afpdWYStUDzwlYuWI5S0quFP45jlZeKYGyUvzjmGUDNDnMN 77e1yPA8iBkcxUORqGBjKjPX3bupkcjHx/J/js8pvPo+G4rgRvKY5nrrOe8L7WkaY7 sdebZ26PF0n9w==
To: acme@ietf.org
From: Jonas Wielicki <jonas@wielicki.name>
X-Enigmail-Draft-Status: N1210
Message-ID: <565C84A1.9040102@wielicki.name>
Date: Mon, 30 Nov 2015 18:17:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ZzgtWzZICj_HQ19geObENv12Lv8>
Subject: [Acme] Support for domains with redundant but not immediately synchronized servers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 17:17:31 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi list,

I have asked this in the IRC and was pointed to this mailing list. I
tried to get a certificate for klausurschokola.de via Let’s Encrypt
during the currently running limited beta (we have the domain
whitelisted). The name has the following address records:

1800 	IN 	A	176.9.101.187
1800 	IN 	A 	217.115.12.71

(in addition, there is one AAAA record for each of the machines
addressed by the A records)

As you can see, two different machines are addressed. Those are
physically separated machines with different main administrators.
Both are pulling their web content from the same source, but it is not
supposed to be dynamic, so there is no "fast" (order of seconds) way
to mirror the content.

Our wish would be to be able to use different private keys and
certificates for both hosts, and renew these independently from the
other host. We thought that this would be possible using Let’s Encrypt.

The problem is that currently, the Let’s Encrypt server sometimes
chooses the wrong of the two IPs to ask for the file in
/.well-known/acme-challenge. Ideally, it would use the IP of the
requester (of course only after it has verified that the IP is in the
DNS) or allow the requester to specify a preferred IP.

For example, on 176.9.101.187:

# letsencrypt certonly -c ~/schoko.ini -d klausurschokola.de -d
www.klausurschokola.de

[… curses …]

Failed authorization procedure. klausurschokola.de (http-01):
unauthorized :: The client lacks sufficient authorization :: Invalid
response from
http://klausurschokola.de/.well-known/acme-challenge/c5HJrtp8t8JhfNgTXVC
8N7OsCrguAWGw-JTIJxCFeIQ
[217.115.12.71]: 404


Is such a thing planned? Are there security reasons against doing
this? Are there security reasons against doing this on a DNSSEC signed
domain (which klausurschokola.de is)?

best regards,
Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWXIShAAoJEMBiAyWXYliKJ1wP/iGVeGRxnAkrAstfjeGLvLeC
TXnF76X/8xC3s4dd/UR0DE2n9Pdn0FYCK+6jRTn+Xpa0MvrA2ME20AZMh070Ghy0
JRbdTWqjQTHzvjXYQHjSkW24pyZNgdfnmwd0HiAhn1mANv3dhVTnHR4hibZww+Su
ty3XzsyZYjrfQ3K5/bTb/jz+QZUoZ/fJJuNlyMsVInF3rzagj34WWR4sYbAIwKEF
CTvBFxINY04pUeemYlywPYrUOmcJTOK/wVi1ya2BgLgTqNJP5FJOX5jCHHr8m5ej
A7G/nGWFSybOG1GkjMOdST3uMeL7HlpqhUnuNzsiC3ZAfmgVwceLsG3bTCAxcrgB
7XiSs3MrURuEk17w2QB0Oyt487DrmftzFo3vzvCrrl42au9JV69Y14/0W3z5piYM
DIGpd/KNSL2m6xvzoJHoi+o5lTl9GiP6KQKlJiIUtn2cz8Ro6CiwXkhD0FmG8sP7
4wqg+vnpcTdhrzsWuAPrpGej+GT1LlWOLERnyPOfVhQ8EUPanwgUbGo1uTfHB2mj
T2CdCCZhcmJFurvz+7FVI1WaVgGR/rdZbu4ueC+0YNZEOICXE0pIJEw8rKWJbqe3
lKchgpR6jR3TKHHwNFDIZj049TBiEGxMXsdEaGlLOHdnr4ZlIDgfycumhYVTNJUi
IDHRifjFUchCynluOhZi
=3akD
-----END PGP SIGNATURE-----