I have a subdomain I use as a staging/sandbox area. I thought it might be useful to restrict issuance that way, but I haven't thought about it very long and I'm not sure it makes sense.
Ideas?
I have a subdomain I use as a staging/sandbox area. I thought it might be useful to restrict issuance that way, but I haven't thought about it very long and I'm not sure it makes sense.
Ideas?
current code only able to only one CAA domain name, so if we change that it'd be only able to holde staging-only names
You can use CAA with the accounturi extension to only allow one or more staging ACME accounts.
No, not really. Accounts are provisioned automatically and pretty much thrown away after minutes/hours.
I mean, if you want to get really crazy, you could have your CAA record not allow anything (like issue ';'
), and then have whatever pre-hook/post-hook/etc. type script you're running to get certificates change the record to something that allows Let's Encrypt only with the account uri you you're setting up in staging. And then change it back afterward.
But only if you want to get really crazy.
From a raw ACME protocol perspective, there's no such thing as Staging/Sandbox. There are only CAs with directory endpoints. And for public CAs, they presumably have a unique CAA identifier.
Theoretically, Boulder in staging could be modified to do CAA checks against a different CAA identifier like letsencrypt.org.test
, right?
But that would break staging for anyone who already has letsencrypt.org
allowed until they updated their records to allow both unless Boulder was modified to accept either one in staging?
I don't think we're likely to change this. Maybe if we'd thought of this a long time ago, we'd consider it, but today changing it would break a lot of existing staging users.
Account URI binding is going to be the best option here.
Additionally, changing this would prevent users from using Staging as a "check to see if my setup is definitely going to work with prod" system. If the CAA identifiers were different, it would be possible (likely, even!) to have CAA records that allow staging but block prod, or vice versa, and people might get frustrating failures.
yeah, I didn't imagine them different.
I did imagine letsencrypt.org
covering both and staging.letsencrypt.org
covering staging only. But that pretty much treats prod and staging as separate CAs, yes.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.