How to only allow http-01 or dns-01?

I was wondering how a domain can specify that they only wish to allow dns-01 or http-01 challenges (in my case, I'd like to only allow dns-01 for my domains).

I've checked the various docs, the community forum, a couple of search engines. Unfortunately, it seems that no one's asked this before or that the terms are simply too vague to get accurate results.

I did find a thread that trailed off on the IETF's Acme list about this, so I don't know if it's possible to do this with a CAA record or a custom record at this time.

As one commenter to that thread stated:

I was about to say that such users could just specify an "issue" directive and a "validation-methods" directive, but the CAA spec is actually unclear on how the rules combine. I suppose that's because CAA right now is really only a CA whitelist, so there's no need for combining.

That is about where I'm at with this. I do not have a ready way to test this with Let's Encrypt, nor do I have any guarantee that the behavior I see will remain in place.

Any insights/thoughts/etc. welcome. Even better would be a cluebat with a pointer to documentation that I missed. :slight_smile:

draft-ietf-acme-caa-03 defines validation-methods, as you’ve already noted, but I have no idea whether CAA implementations currently observe it/whether the draft is implemented.

I believe that the most specific CAA record is observed and any less specific records are ignored. At least, this is how it behaves for my domains.

Edit: I just did a test on a junk domain of mine, Let’s Encrypt happily issued a certificate via dns-01 when CAA only permitted http-01. Looks like it’s not implemented yet.

There has been work on it:

Looks like it was merged in October and then immediately backed out due to a bug.

(The early comments call the parameter “challenge” because the draft renamed it once or twice as it progressed.)

1 Like

@mnordhoff’s got it exactly right: There an IETF draft in progress. A helpful contributor implemented it for us. We merged it, but there was a bug so we backed it out. Not currently implemented.

2 Likes

I expect we'll revisit implementing this once the dust has settled a bit with the V2 API and Wildcards. I'm certainly interested in having this feature implemented one day :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.