Manual validation feature for http-01 and tls-sni-01 challenges

[glkz]

When we cannot run an ACME client on the target server a "manual" mode for the http-01 and tls-sni-01 challenges would be helpful.

Adding --manual flag to run command can be a solution imho.

Btw, Let's Encrypt client has a plugin for this.

[xenolf]

I had a quick look at what the "manual" plugin does for the official client.
Am I right with the assumption that lego would need to output curl commands for example which a user could use to run them on a distant machine?

[glkz]

Curl commands are not necessary. I think just printing the challenge with some instructions and waiting user's action to continue would be sufficient.

For example, something like this for http-01:

$ lego --domains example.com --email admin@example.com run --manual
...
A HTTP get request to url
    http://example.com/.well-known/acme-challenge/{token}
must return the following string in the response body
    {jws string here}

Press ENTER when your server is ready. 

[fenderle]

+1

[uwe]

+1

[yonderblue]

Is there a way to use this for an automated process of what an admin would do with it? I am interested in getting a cert that covers a group of machines, say 20 subdomains where each subdomain is only hosted from one machine in a way to avoid rate limits.

[xenolf]

@Gaillard Why not get a SAN cert for the 20 subdomains and then distribute them across your machines?

[mholt]

Wondering if this is still necessary anymore; and even if so, if it is a good idea at all. The goal is to automate the process of managing certificates. If there a manual step is possible, then we fall short of that and people continue to rely on manual ways.