Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 15 January 2017 18:29 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 218BC1294D3 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 10:29:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.199
X-Spam-Level:
X-Spam-Status: No, score=-3.199 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFokz38altU0 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 10:29:18 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA821294C9 for <acme@ietf.org>; Sun, 15 Jan 2017 10:29:18 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 8468E14617; Sun, 15 Jan 2017 20:29:16 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id E9zu8FyvArlE; Sun, 15 Jan 2017 20:29:16 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3AEEE21C; Sun, 15 Jan 2017 20:29:16 +0200 (EET)
Date: Sun, 15 Jan 2017 20:29:15 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Message-ID: <20170115182915.GA27571@LK-Perkele-V2.elisa-laajakaista.fi>
References: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org> <20170115140330.GA26429@LK-Perkele-V2.elisa-laajakaista.fi> <6AEBC4C9-FA1B-4672-AE58-15C165722B30@webweaving.org> <20170115142931.GB26429@LK-Perkele-V2.elisa-laajakaista.fi> <65DAC165-2700-4DA5-A492-28B1F2E60541@webweaving.org> <20170115150407.GA26702@LK-Perkele-V2.elisa-laajakaista.fi> <CD5EBC6C-456C-4A08-AE98-4166F2270E77@webweaving.org> <20170115173659.GA27033@LK-Perkele-V2.elisa-laajakaista.fi> <38DABE99-99B0-41BE-8D27-EC519C30D3AE@webweaving.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <38DABE99-99B0-41BE-8D27-EC519C30D3AE@webweaving.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/f5_UaeHVg5u3BHsgI0NV6-cJo-U>
Cc: acme@ietf.org
Subject: Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 18:29:20 -0000
On Sun, Jan 15, 2017 at 06:54:10PM +0100, Dirk-Willem van Gulik wrote: > > > That is indeed the alternative — surmise that as the user (no matter > how VM’s, containers, virtual load balancers or whatever is configured) > will want to end up visible on port 443 with a cert — we focus on some > blind http->https redirect which can be configured in bulk; and always > bring up an TLS+SSL on 443 with a self signed cert if we do not yet > have an acme cert (and using the same private key for thus). Well, if the container is not visible on port 80, you presumably want a path-preserving HTTP -> HTTPS redirect for all URLs on the FQDN. Such redirect would also redirect ACME HTTP requests. Or if one wants just to redirect ACME HTTP requests, one can redirect just the paths under .well-known/acme-challenge/. No need to be discriminate: the target server will sort it out anyway. -Ilari
- [Acme] Well Known CA->client poll on port 80/443 … Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Salz, Rich
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara