Email based domain validation

Why can Let’s Encrypt not use email validation or accept subdomain validation that way? I’m unable to find a host that is reasonably allowing me to verify my ownership of a subdomain they provide to let me get a certificate. The host does provide a free email box so that way I can easily click on an email based link and bingo the cert works. If they are paronoid maybe all big company domains *@outlook.com, *@gmail.com etc. should be blacklisted.

How do you suggest the email challenge be automated?

Since Let's Encrypt certificates only have a 90 day duration (and may be shorter in future), it seems contrary to the mission for Let's Encrypt to be an "automated" CA:

Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

There are CAs in the wild that do support automated renewal after initial validation via email (since as Amazon CA via Amazon Certificate Manager), but due to the integrated nature of their platform they are able to prove domain control at renewal time in other ways. Let's Encrypt can't do this, and it has been looked into previously - they don't want to.

Make it a send me a link using a mailer. If the link gets clicked then make the user fill out some basic info. This gets stored into a DB and gets passed to the certificate generator as if the file challenge was passed. My host has a strange condition that blocks web robots crawling the site but allows “real” browsers in.

Since this validation process has to repeated at renewal (as per ACME spec), this means the user would need to receive the email and copy a token into the certificate issuing tool every 60-90 days. Does that sound right to you?

I would suggest getting a new web host. Do they let GoogleBot crawl your sites?

An email challenge could fairly easily be automated, it’s just that the return on investment for the work would be miniscule. Millions of people use LE just fine as it is, why add oddball challenges for a handful of people who have broken hosting?

The only possible email that ACME would ever use would be the registrant or admin contact listed in the domain whois info, there’s no chance that you’d ever be able to supply your own even if it matched the domain. But even if such an option was approved (it’s been considered and rejected in the past), you’re looking at at least a year of lead time to get it in the client, by which time you could have switched to a host that doesn’t suck a thousand times over.

WHOIS is a total shambles and completely insecure, but there is already an established set of email addresses permitted for issuing certificates via email.

I'm slightly curious to know how email validation can be automated, considering that the current state of affairs for automating DNS validation (which on face value is much simpler) is really poor.

3 Likes

Ah, my recollection was off. Good to know someone is using those addresses. Automation is just building a POP/IMAP client, checking for the expected email, and responding, not much different from building a webserver and waiting for the request. I'm not saying it would be trivial, just simple in principle. The usual caveats apply -- POP clients shouldn't delete new mail for X days, weird protocols are out of luck, etc.

DNS is bad more because few DNS providers bother to implement an API that bots can even hook into, and even those that have one aren't standardized at all. My company's DNS provider up until last month required that we call up to make any changes, which resulted in so many typo issues. Good luck automating that.

Have you tried going the route of having your company configure _acme-challenge as a CNAME record pointing to a zone you can control by API?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.