New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTTP01 over SSL #1343

Closed
bluecmd opened this Issue Nov 4, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@bluecmd

bluecmd commented Nov 4, 2015

Hi,

We're running a mix variation of web servers and would prefer to use HTTP01 using the "webroot" authenticator. We're an HTTPS-only environment currently and not looking to change that, which offers a problem for us.

Could simple support for HTTP01 over HTTPS be added? You would need to disregard any certificate errors (allowing bootstrapping using self-signed certs etc.) on the server side I guess, but compared to HTTP that's not an issue.

@kuba

This comment has been minimized.

Contributor

kuba commented Nov 4, 2015

We just recently got rid of this particular challenge over TLS because of security issues, see ietf-wg-acme/acme#7.

@kuba kuba added the area: acme label Nov 4, 2015

@pde pde added the wontfix label Nov 5, 2015

@pde

This comment has been minimized.

Member

pde commented Nov 5, 2015

Yeah, this is a wontfix because of the default vhosts attack. The two footnotes to that are: (1) if you serve a 301/302 redirect from port 80 the server will follow it; (2) if you have an existing cert from some CA (possibly Let's Encrypt, when it's time to renew) we could validate the cert and proceed.

@pde pde closed this Nov 5, 2015

@pde

This comment has been minimized.

Member

pde commented Nov 5, 2015

a writeup on the problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment