An Acme CA may choose the dns-01 challenge token, but what goes in the DNS TXT record is base64url(SHA-256(f(token and account key))). So to avoid hyphens in that result the CA would need to: pick a random token; do the hash & base64url calculations; then repeat with a new random token if any hyphens are present. It will only take 2 tries on average ; - )
-- James Manger -----Original Message----- From: Acme <[email protected]> On Behalf Of Michael Richardson Sent: Thursday, 26 November 2020 9:37 AM To: Mark Tomlin <[email protected]>; [email protected] Subject: Re: [Acme] Remove the hyphen from the acceptable character set for _acme-challenge TXT records. [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. Mark Tomlin <[email protected]> wrote: > I have a bit of a feature request for you all. It's actually to remove > the hyphen from the TXT records to make it easier to copy and paste into a > DNS server record. Here's my scenario. I ran the following command on my > server (Ubuntu 20.04) that as you can see has cerbot on it and a large > number of domains to cover. It is annoying, and I've run into the same problem as well. The challenge is a base64url encoded (RFC4648) nonce. It is preferred by web programmers because it does not use + or /, which are special in URLs. The base64 alphabet doesn't use -, but does use + and /, but which would copy and paste better. The format and contents of the nonce are not mandated by RFC8555, so LetsEncrypt change this in many different ways. It would be a unilateral decision on the ACME server only. I actually think that BASE32 encoding would probably better: you could probably write a pull-request to the letencrypt code base to do this. I don't know how they would feel about this, but it would be worth learning. > Please deploy a DNS TXT record under the name > _acme-challenge.mimocad.io with the following value: > 6-K6v7VjtVpGhJk4d6Zx8qxsg6JFUZbGnnr-bDpKpSc What annoyed me here when renewing a system with 10 different aliases is that I don't know when I've gotten to the last one. I should be shown all 10 at the same time, so that I can put them all in place, and then reload the zone. Instead, I count (badly), reload the zone too late or too soon... Even better if they add the entire DNS presentation lines so that I could copy&paste the entire set. But, again, this is a client code issue, and not a protocol issue. I have since bit the bullet and gotten nsupdate to do the right thing, and it now autorenews on it's own, as Ghod intended. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
