[Acme] Host Selection during Challenge
DaKnOb <daknob.mac@gmail.com> Fri, 23 December 2016 18:20 UTC
Return-Path: <daknob.mac@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC4412965F for <acme@ietfa.amsl.com>; Fri, 23 Dec 2016 10:20:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4k8mYMxqys25 for <acme@ietfa.amsl.com>; Fri, 23 Dec 2016 10:20:32 -0800 (PST)
Received: from mail-wj0-x22e.google.com (mail-wj0-x22e.google.com [IPv6:2a00:1450:400c:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7CEC1293D9 for <acme@ietf.org>; Fri, 23 Dec 2016 10:20:31 -0800 (PST)
Received: by mail-wj0-x22e.google.com with SMTP id v7so258632962wjy.2 for <acme@ietf.org>; Fri, 23 Dec 2016 10:20:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=Pn1CswG50XM33tyuq2fvd7hXS9iKMmzcia001TpGYvY=; b=m48Ab3SGcaJ3m+S48aEWAymUK7rZD+68QV52A0INFveT/VUliJ6O2ZEHuNzkhtWa2C gFAKsBjw3Y/KzcoElav17MX3akMz02EbrFWgq2b0pZ/u8rAN9uzb2Sz2FF5i6+3eAJt/ UW40ZzbZeswSH8w5lqheZF4MF/HXeIzv0AyeRYrtX0hkUQlW+DuXRyYT5gvy8oya67dj chUWBRNR/bc20DFnQtGX+v/L9Mu2Oq5tOqrkzVOPt7tc8bUetumL7nY+fO3Ye3vPI+8F Dksdc5rKaBoP342Yzrv6uif/0jWizWO8jffzzWV26KYrpuPH3iOBzPPCb/7+BIX/OnGu WNuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=Pn1CswG50XM33tyuq2fvd7hXS9iKMmzcia001TpGYvY=; b=rvNtUannxzYRS65hgR9VddzIFwms2jjzxQxz3x/m2iFbJymJNGtF94nroG2wzwrFuq sjrPOqkS3Skk/ed/kDbXoVHVE8YTMLegg3r+olodBBpGTpfdNQ0wjbo/sZIN5prxqpw1 EeXKPtBI5w2s/2OiJD3kX32cq3FwvEvsp7gyZ/hQEYHv7ajXmw+Ln5bayKhGtF0GOWgc apomyT0gwbW0QqToZi69P9Ihe4eQNK2Xg5TLinwXl5JeoiAgoyob7ppIEIeEYFTanwTY uMEBZbhzWAsjbuQusH3IzCsK25erW08VPvrBt1030uBMhu8ROaIaQi1ug1jtdJBzTyFX D/fQ==
X-Gm-Message-State: AIkVDXJv0EzsQv1j0QVXtFTrc0oPA38DiOOYv9z+qaQLsfGNey2uRrUcjHOUzhJyLbRxPQ==
X-Received: by 10.194.71.228 with SMTP id y4mr16399013wju.136.1482517229836; Fri, 23 Dec 2016 10:20:29 -0800 (PST)
Received: from ?IPv6:2001:470:b632:2:d28:5236:d5b5:5a83? ([2001:470:b632:2:d28:5236:d5b5:5a83]) by smtp.gmail.com with ESMTPSA id z6sm41599465wjt.24.2016.12.23.10.20.28 for <acme@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 23 Dec 2016 10:20:28 -0800 (PST)
From: DaKnOb <daknob.mac@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A20CF14-E191-45A3-AF51-D28729CBFFAF@gmail.com>
Date: Fri, 23 Dec 2016 20:20:26 +0200
To: acme@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/jNV8VDMlw_tueEgZTaZ2vMqbFDM>
Subject: [Acme] Host Selection during Challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2016 18:20:33 -0000
Hello, this is my first e-mail in this list and after spending around 30 minutes in the archives I could not find this issue discussed previously. Excuse me if this is a double-post, and if it is, can you kindly help me find it in the archives? Currently in the ACME protocol (at least as it is used by Let’s Encrypt), when requesting a certificate with one or more domain names, the verifier (CA) will resolve the hostname and then connect to the server to verify the request is authentic (at least in HTTP and TLS SNI modes). In a multi server set up, where there are two or more servers, the verifier will pick one at random and connect to, following the normal DNS procedure. The currently recommended way to work around this is to configure every server except one, say X, to proxy the request to that one server, X, where the ACME client is running from. Then, the certificate will have to be distributed to the other servers manually, or, in general, by other means. I think it would help to provide means of supplying an IP Address (v4 or v6) along with every other detail, and then let the verifier (CA) connect to this address only, assuming of course it is present in the DNS records. This will allow the server operator to issue a different certificate per server, removing the overhead of transferring certificates and keys (in possibly insecure ways), removing complexity (no need for reverse proxying, mechanisms to deploy the certificate), and enhancing automation (the ACME client will be able to renew each certificate automatically in every server and not require user interaction or complicated systems). Now if the DNS response of the verifier is not consistent, and not always replies with the same answer, such as in cases of GeoDNS or load-balancing DNS, this system will not work, and the server operator will have to add a special case for the Autonomous System or IP Addresses of the CA, which will include all IPs. Thank you for your time and please let me know what you think. Also, sorry if this is a duplicate and this idea has been discussed before. Antonios A. Chariton
- [Acme] Host Selection during Challenge DaKnOb
- Re: [Acme] Host Selection during Challenge Patrick Figel
- Re: [Acme] Host Selection during Challenge Alan Doherty