Can't this be achieved today by having the webserver reached by the first validation request configured to serve an HTTP 301 redirect for all requests to paths under /.well-known/acme-challenge/? For example, a request for `example.com/.well-known/acme-challenge/LoqXcYV8...jxAjEuX0` could be automatically redirected to ` central-acme-challenge-service.example.com/.well-known/acme-challenge/LoqXcYV8...jxAjEuX0` .
I believe this would achieve all of the same benefits as you describe, except for "Reduced Exposure". At which point, I think it is reasonable to suggest that Applicants use the "dns-01" method if their goal is to get certificates for hostnames whose webservers are not publicly exposed. I feel like I must be missing something. Can you further explain the benefits of using DNS-based delegation instead of HTTP-based delegation in an HTTP-based validation method? Aaron On Thu, Jan 16, 2025 at 4:33 PM Jared Crawford <jmcrawfor...@gmail.com> wrote: > Dear ACME Working Group, > > I hope this message finds you well. I am writing to propose an extension > to the ACME protocol to enhance the http-01 challenge type by allowing > delegation to direct validation requests to a designated server similar to > what is possible for dns-01 challenges today via CNAMEs. > > HTTP challenges provide a variety of benefits for each stakeholder when > compared to DNS challenges. For accounts that manage many certificates, > these benefits are more pronounced as certificate / validation lifetimes > continue to shrink. These include > > > - > > Centralized Management: Allows for centralized management of challenge > responses, benefiting organizations managing multiple domains. > - > > Reduced Exposure: Reduces the need for direct access to the domain's > primary web server, particularly for hostnames behind VPNs or within > corporate networks. > - > > Performance: More performant than DNS-01, as the token can be > instantly placed on the validation-specific server, allowing for > synchronous certificate issuance. > - > > Security: Avoids the risks associated with DNS API credentials. > - > > Scalability: Enables parallelized validation of domains on distributed > load balancers. > > > > This proposal allows for a centralized server for domain validation, > addressing the challenge of validating domains hosted on servers within > corporate networks that are not directly reachable by an ACME server. This > method leverages the existing dns-01 challenge infrastructure to improve > flexibility and performance. > > > While I’ve included a rough I-D at > jmcrawford45/draft-crawford-acme-delegated-http > <https://github.com/jmcrawford45/draft-crawford-acme-delegated-http> of > what a solution might look like. I am open to hearing other thoughts and > suggestions on how to address this problem. > > Thank you for considering this proposal. I look forward to your feedback. > > > Jared > _______________________________________________ > Acme mailing list -- acme@ietf.org > To unsubscribe send an email to acme-le...@ietf.org >
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
