[Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV

[Erik Nygren <erik+ietf@nygren.org>]

Thanks.  I went ahead and filed an errata for this.

    Erik


On Tue, Apr 15, 2025 at 6:10 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Erik Nygren <erik+ietf@nygren.org> wrote:
>     > One of my colleagues recently pointed out a potential interaction
> between
>     > HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV.  If a
> hostname
>     > get an HTTPS RR into DNS prior to getting a cert validated, then
> there
>     > would be a problem if the ACME client resolved the HTTPS RR and
>     > auto-upgraded the http:// URI to https as part of HTTP-01 DV.
> Since a cert
>     > won't exist yet this would fail.
>
> That seems like a bad thing for an ACME server to do.
> It's an http-01 challenge, not an https-01 challenge.
> It shouldn't be updating.  ACME servers doing dns-01 challenges already
> take
> special care to avoid caching, so they should also pay attention to ignore
> HTTPS RRs
>
>     > How would we want to clarify this?  It's probably too big for an
> errata for
>     > RFC 8555 but annoying to have to have a draft just to clarify all on
> its
>     > own.  If there are plans to do an rfc8555bis (or anything else
> Updating
>     > rfc8555 for HTTP-01) this could be good to include in there.
>
>     > The reading of RFC 8555 section 8.3 is fairly clear that:
>
>     > Dereference the URL using an HTTP GET request. This request MUST be
> sent to
>     > TCP port 80 on the HTTP server
>
> I don't think it's too big for an errata.
> "When doing http-01 challenges, ignore HTTPS RRs"
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>