Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTTP01 over SSL #1343

Closed
bluecmd opened this issue Nov 4, 2015 · 3 comments
Closed

Support HTTP01 over SSL #1343

bluecmd opened this issue Nov 4, 2015 · 3 comments

Comments

@bluecmd
Copy link

@bluecmd bluecmd commented Nov 4, 2015

Hi,

We're running a mix variation of web servers and would prefer to use HTTP01 using the "webroot" authenticator. We're an HTTPS-only environment currently and not looking to change that, which offers a problem for us.

Could simple support for HTTP01 over HTTPS be added? You would need to disregard any certificate errors (allowing bootstrapping using self-signed certs etc.) on the server side I guess, but compared to HTTP that's not an issue.

@kuba
Copy link
Contributor

@kuba kuba commented Nov 4, 2015

We just recently got rid of this particular challenge over TLS because of security issues, see ietf-wg-acme/acme#7.

@kuba kuba added the area: acme label Nov 4, 2015
@pde pde added the wontfix label Nov 5, 2015
@pde
Copy link
Member

@pde pde commented Nov 5, 2015

Yeah, this is a wontfix because of the default vhosts attack. The two footnotes to that are: (1) if you serve a 301/302 redirect from port 80 the server will follow it; (2) if you have an existing cert from some CA (possibly Let's Encrypt, when it's time to renew) we could validate the cert and proceed.

@pde pde closed this Nov 5, 2015
@pde
Copy link
Member

@pde pde commented Nov 5, 2015

a writeup on the problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants