Erik Nygren <erik+i...@nygren.org> wrote:
> One of my colleagues recently pointed out a potential interaction between
> HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV. If a hostname
> get an HTTPS RR into DNS prior to getting a cert validated, then there
> would be a problem if the ACME client resolved the HTTPS RR and
> auto-upgraded the http:// URI to https as part of HTTP-01 DV. Since a
cert
> won't exist yet this would fail.
That seems like a bad thing for an ACME server to do.
It's an http-01 challenge, not an https-01 challenge.
It shouldn't be updating. ACME servers doing dns-01 challenges already take
special care to avoid caching, so they should also pay attention to ignore
HTTPS RRs
> How would we want to clarify this? It's probably too big for an errata
for
> RFC 8555 but annoying to have to have a draft just to clarify all on its
> own. If there are plans to do an rfc8555bis (or anything else Updating
> rfc8555 for HTTP-01) this could be good to include in there.
> The reading of RFC 8555 section 8.3 is fairly clear that:
> Dereference the URL using an HTTP GET request. This request MUST be sent
to
> TCP port 80 on the HTTP server
I don't think it's too big for an errata.
"When doing http-01 challenges, ignore HTTPS RRs"
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
