How to get well-known files and verify domain name separately?


#1

Hello,

I want to know if we are able to get certificate in three separate steps:

  1. Get .well-known files.
  2. Distribute files to the correct servers.
  3. Verify domain name and get certificates

If we can then how to perform step 1 and step 3?

Also how long .well-known files will be valid for domain verification?

Does well-known files have to be accessible always or only when perform domain verification or renewal?

Sincerely,
Alexandr


#2

Unless you want to write your own client, I’d suggest using certbot or one of the alternate clients that most closely does what you need.

All of the clients effectively do what you are suggesting. most though only work on the one server. Some clients are designed to work with remote servers.

This i done by the clients, but basically you request a token from letsencrypt, which you then encrypt / sign with your private key to get the token you need to place on your servers (your step 1 ). For your step 3, you simply ask letsencrypt to verify your domain (with a request you sign with your key) and it then verifies your domain and provides you a link to download your certificates.

This depends slightly on how busy the servers are I believe, but is usually measured in days.

Only when performing domain verification or renewal


#3

Thank you for your help. Could you suggest any client which can obtain challenge files and which can then verify domain in two separate tasks?

For example certbot can’t do this because it can only do this only as a one task. I.e. when I use -manual mode it shows me a challenge information and I have to manually copy and past it to different hosts (For example when we are using Anycast for load distribution between different nginx nodes) and then go to the terminal again and press Enter for domain verification. It would be much more convenient if certbot had something like this:
# certbot certonly --obtainOnlyChallenges --crt …
# certbot certonly --verifyWithExistingChallenges --crt …

I tried to research other clients and they work more less the same. Except “letsencrypt.sh” it seems has to work as I want but there is some bug and we can’t create account right now with that script.

Do you know some other clients which can do these tasks separately (obtain challenges and next task verify domain)?

Sincerely,
Alexandr


#4

Check out the alternate clients link in @serverco’s post above.
If you have Bash available, and meet the other requirements, you might find GetSSL to be a good fit for your “split-step” process, while keeping it automated at the same time.


#5

Unfortunately GetSSL as other libraries do not support it. It can distribute keys to different hosts via ssh/ftp or other technique but still it isn’t “split-step”. It downloads one well-known host for first domain then it distribute it then it verify it. If verification is false then it fails for other domains and don’t continue to download other well-known files for other domain. Even if it was able to download all well-known files it doesn’t make sense with GetSSL because each time it generates new well-known files. So if you even were able to download web-known files, distribute it to different hosts then you can’t verify them as they aren’t be verified by letsencrypt (certbot works better for this because it always gets the same well-known files but still you can’t verify them in two different steps).


#6

The process lacks automation, but if I understand how you wish to do the steps, then maybe a browser-based version will work better.
Try ZeroSSL.com, for example.
You create the account key and the csr in the first step.
Then it lists the files, and contents, needed to verify the domains.
It sits and waits until you click next, then the verification of all the domains is done.
Once ALL domains pass it displays the cert for you to save.
If ANY domain fails verification, it will fail, and allow you to retry (I think), until you get it right or give up.

Whether you do well-known file all at once, then verification all at once, or do well-known and verification in order per domain shouldn’t matter. If the first one fails verification, there is no point in verifying any more, since the cert lists all sites and must verify all of them before it can “certify” and sign the cert. You can’t have a cert listing 5 sites, and only pass verification on 4 of them. Otherwise I could list one of your sites on my cert, and get is signed! :open_mouth:

After reading the ACME documentation, especially Section 7.2, I don’t know about this part, but you might want to verify that idea. As I understand it LE issues a random token as part of the challenge, and that token becomes the well-known filename to provision on the server. If that’s correct then certbot couldn’t always get the same well-known files. Additionally, it’s not the client (certbot, GetSSL, or any other) that determines what the well-known file will be, it is the certificate server’s challenge to the client to create that file.
Lastly, I don’t think I understand what process you’re trying to create: [quote=“porunov, post:5, topic:23278”]
if you even were able to download web-known files, distribute it to different hosts then you can’t verify them as they aren’t be verified by letsencrypt
[/quote]
Each host has to have its own, unique, challenge, and therefore, well-known file. Distributing one successful well-known file to different hosts still will not verify them, since its the response to a different host’s challenge.
Somehow I think one of us has a misconception of two of how the process works, and what happens that we don’t see. I’m ready to admit that it could well be me, as I am very new to LE, and even to SSL and encryption itself.
I also concede that I probably haven’t said what I meant in the correct way, but I hope it is at least understandable, and I mean no offense, and apologize if any was given.


#7

Another alternative may be to use the DNS-01 challenge ( if that’s easier to automate than manually uploading challenges )


#8

Sadly, it’s not possible and never will be. The well known file meant to show that YOU are the owner of the website. If there were a list of well known files, you would be able to ask for a certificate of a website you don’t own - because it’ll be easy to find the well known file.

Lets encrypt requires every well known file to have a random, unguessable string that is related to the user requests the challenge. This makes sure that the one who requested the challenge is the one who uploaded the file, proving he is an admin in the website.

If someone will get hold of a certificate of a website he doesn’t owns using Let’s Encrypt’s systems will mark Let’s Encrypt as untrustful, remove their CA access, thus ending the Let’s Encrypt project.

So no, there is no way to do so.


#9

Thank you all for your help.

Vlad, I think that I misunderstood something from your replay.

by me you mean personally me, organization, servers administrator or domain registrant?

Here is I created test authorization:
https://acme-v01.api.letsencrypt.org/acme/authz/roYQU8tBmALDTuwv0_61vSQKPuUQj3YI7chBfPAhOSU

It is public file and anybody can read it. There you can see “http-01” challenge with the challenge link. Anybody can download your well-known files.

But you can’t get a certificate if a domain owner will not put this files on his server. If he do this then you will get a certificate.

Yep. Random token but anybody can download it and each challenge is unique for each authorization.

All certificates are public and they should be. Here is a “test” certificate:
https://acme-staging.api.letsencrypt.org/acme/cert/faa667a9fec73067bff66bda8dd2b4315ac3

If you mean a private key for your domain then a person who have stolen your private key will be able to use “man in the middle” attack. But it won’t be Let’s Encrypt’s fault because they have no your private keys (So, only your users will suffer, not all Let’s Encrypt’s users).

I found a client what I need. It is Java client which let you do anything you want. Based on this client you can create your acme client:

Sincerely,
Alexandr


#10

You indeed didn’t understand me. I’m using my phone so there might be some spelling mistakes, and this comment will not have quotes. Also, me English sucks. sorry for those two. Anyways,

By you I mean the one who requests a certificate.

I meant if there were a list of possible well known files. Of course anyone can access your well known file, but it won’t matter because the content of it “connected” to your let’s encrypt account only, so it will verify only your account as the domain owner, not anyone else. Forcing users to register, then give them a token to use in the authentication process will prove LE (let’s encrypt) that the LE account owner owns the domains of the certificate he’ll later ask.
If you were able to generate an authorization file and only after "connect"it you your account, what will prevent others to connect the same file to thier account, then get a certificate with their keys? As you said, the files themselves are publicly available, and if they were not “connected” to a LE account, anyone would be able to authenticate themselves as the dome in owners.


#11

Yes, now it’s clear. I agree with you. When I posted a question I meant that I need some tool to download my challenges which I have already created but do not verify challenges immediately after I downloaded files.
I.e.

  1. Register
  2. Authorize domains and get all challenges for all authorized domains.
  3. Distribute my challenges on proper server.
  4. Verify domains
  5. Get a certificate

But most acme clients work like this:

  1. Register
  2. Authorize domains, download one challenge for one domain, verify domain. Download another challange for another domain, verify another domain (and so on for all domains. I.e. example.com, www.example.com, admin.example.com, helloworld.example.com).
  3. Get certificates

So, I asked for a client which know how to do all above steps separately.

My English sucks too, so it can be that you misunderstood me too.

Sincerely,
Alexandr


#12

What client you are using, what OS and language? If you interested in a browser client - all the ones I know use the techniques you described - first get all the challenges and only then authenticate then.


#13

OS: CentOS 7
As I said:

is Java client library. So, I use Java to write a client. I already have written a client I need. Soon I will post it on github. I am not sure if somebody needs it but if somebody needs a manual client he can use it. For me it isn’t convenient to verify my domain from the server where my domain points. For me it is much more convenient to manually control my challenges.

Sincerely,
Alexandr


#14

You are using a client to build a client? I have no clue how to use that client, but acme itself works in both ways, either one after one, or request all challenges and them complete them as you want, or any other way you want. Each challenge valid for about 14 days, you can respond to it whenever you want in this timeframe.


#15

Yes, I am using client to write a client :slight_smile: But I am using a client library to write a client application what I need. That library let you create whatever you need but it isn’t an application.

I tried to use: Certbot, GetSSL, acme.sh, dehydrated but they all automatic (even when I use Certbot with manual mode it downloads challenges and then whay for you when you purt them into your server and you have to press enter when you are done. What if I want only to download challenges or only verify them? I haven’t find solution for only download challenges and only verify challenges).


#16

Does direct contact with acme is an option? Because if it does, try it out. Java has so many great tools, I’ll be very easy to do in java.


#17

I posted my Java ACME client on github. You can check it :slight_smile:

Sincerely,
Alexandr


#18

Great! I have no clue how, but I’m guessing you can ask let’s encrypt to add it to the clients list.


#19

Thank you! I don’t know either. Will try to ask somewhere


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.