Hi, I'm new to this mailing list. Today I started a discussion on IRC about the fact that ACME with http-01 won't work if the A record points to an intranet IP address or is resolved dynamically dependent on geo locations or similar. People in IRC recommended to do such discussions in the acme mailing list ;-)
The idea to solve these issues is simple: why not using some special dns record to resolve an URL that is responsible for ACME-challenges for a certian domain? This is more flexible than building the URL based on A-Record on a fixed scheme. Example: mydomain.com could have a TXT-Record "acme-http-01-url" that points to some URL (e.g. http://acme.mydomain.com/acme-challenge). If this record exists, this URL is used. Otherwise http://mydomain.com/.well-known/acme-challenge is used as defined in http-01. Advantages: - simple - same security as in http-01 - decouples proof of domain ownership from physical device that the A-record points to - allows certificate issue for intranet services, embedded devices and clustered services - no dynamic dns updates required - has only minimal impact in server implementations - has no impact in client implementations Please let me know what you think about this idea. Kind regards, Michael. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
