Thanks. I went ahead and filed an errata for this.
Erik
On Tue, Apr 15, 2025 at 6:10 PM Michael Richardson <mcr+i...@sandelman.ca>
wrote:
>
> Erik Nygren <erik+i...@nygren.org> wrote:
> > One of my colleagues recently pointed out a potential interaction
> between
> > HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV. If a
> hostname
> > get an HTTPS RR into DNS prior to getting a cert validated, then
> there
> > would be a problem if the ACME client resolved the HTTPS RR and
> > auto-upgraded the http:// URI to https as part of HTTP-01 DV.
> Since a cert
> > won't exist yet this would fail.
>
> That seems like a bad thing for an ACME server to do.
> It's an http-01 challenge, not an https-01 challenge.
> It shouldn't be updating. ACME servers doing dns-01 challenges already
> take
> special care to avoid caching, so they should also pay attention to ignore
> HTTPS RRs
>
> > How would we want to clarify this? It's probably too big for an
> errata for
> > RFC 8555 but annoying to have to have a draft just to clarify all on
> its
> > own. If there are plans to do an rfc8555bis (or anything else
> Updating
> > rfc8555 for HTTP-01) this could be good to include in there.
>
> > The reading of RFC 8555 section 8.3 is fairly clear that:
>
> > Dereference the URL using an HTTP GET request. This request MUST be
> sent to
> > TCP port 80 on the HTTP server
>
> I don't think it's too big for an errata.
> "When doing http-01 challenges, ignore HTTPS RRs"
>
> --
> Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
> Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>
_______________________________________________
Acme mailing list -- acme@ietf.org
To unsubscribe send an email to acme-le...@ietf.org
