HTTP challenge spec issues #33

kelunik · 2015-11-10T09:03:06Z

Because many webservers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS.

vs.

Dereference the URI using an HTTP or HTTPS GET request. If using HTTPS, the ACME server MUST ignore the certificate provided by the HTTPS server.

The HTTP spec doesn't seem to be consistent. And why does it have to be completed with HTTP? I honestly don't understand that.

The text was updated successfully, but these errors were encountered:

kelunik · 2015-11-10T23:11:38Z

LE's simpleHTTP seems to give a choice. I'd really prefer that. This would make it possible to not even listen on port 80 for things like APIs, e.g. GitHub does that on api.github.com.

bifurcation · 2015-11-12T23:54:16Z

As discussed on the list and in the document, the HTTP challenge needs to be HTTP-only in order to avoid the default-vhost issues. Thanks for catching the stray HTTPS text. I will remove it.

kelunik · 2015-11-13T07:12:31Z

Do you have a link to the discussion?

bifurcation added a commit that referenced this issue Nov 12, 2015

Remove left-over HTTPS text from http-01 (#33)

303c9d7

bifurcation mentioned this issue Nov 12, 2015

Fixes for issues pointed out by @kelunik #43

Merged

bifurcation closed this as completed in #43 Nov 12, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTP challenge spec issues #33

HTTP challenge spec issues #33

kelunik commented Nov 10, 2015

kelunik commented Nov 10, 2015

bifurcation commented Nov 12, 2015

kelunik commented Nov 13, 2015

HTTP challenge spec issues #33

HTTP challenge spec issues #33

Comments

kelunik commented Nov 10, 2015

kelunik commented Nov 10, 2015

bifurcation commented Nov 12, 2015

kelunik commented Nov 13, 2015