Hi,
The current ACME specifies the port used for HTTP Challenge and ALPN Challenge.
For HTTP, it's 80, and for ALPN, 443.
This requirement is needed only for shared web host. Because if we do not
required
using such standard 80/443 port, the normal user could gain the certificate for
the web host domain, which is not under their control. But if they can bind to
80/443
which requires the root permission, it means they must be the administrator,
and have
the permission to sign certificate for this domain.
This works well until in some county in which the standard 80/443 is blocked
without
license. In such regions, people can only use the non-standard port to
communicate.
It is impossible to finish the standard HTTP or ALPN Challenge. So all the
device
running in such region can not utilize ACME to sign certificate.
Someone may argue that these devices can use the DNS Challenge, it do works.
However,
there are so many legacy devices only support HTTP Challenge which will not
gain any
firmware upgrade.
So I wondering if we could design some new method to let ACME works for these
devices.
In my opinion, we can introduce a new DNS label like _acme_http_port and
provide a
TXT record to specify the non-standard port to be used. For example,
_acme_http_port.www.example.com 300 IN TXT "8080"
For ALPN Challenge, the label maybe _acme_alpn_port,
_acme_alpn_port.www.example.com 300 IN TXT "4430"
When the ALPN validator receive the certificate request, instead of just use
the fixed
port of 80/443, it first query the _acme_{http,alpn}_port.* from DNS, and then
use the
port port from the TXT record. If their is no such record, the server fallback
to use
the 80/443 port.
By this way, only the validator need to be changed, and all the legacy device
will work.
Please offer your comments.
Thanks
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
