HTTP-01 over https as an alternative to TLS-SNI?

It looks like some users have problems with DNS since it’s hard to automate in some environments and HTTP-01 since they cannot open port 80 on their systems. I wonder whether allowing the HTTP-01 protocol over https would be a solution. Instead of the requirements from TLS-SNI for the server certificate, one might just require that the certificate presented in the response mentions the name hostname the certificate is requested for, but does not have to be signed by a common CA. The ACME protocol specifications mention that some sites might have a default https virtual host configured that might differ from the http virtual host the certificate is intended for, so those checks on the certificate should likely detect such a https default virtual host setup in common setups.

However I don’t claim that I know every kind of setup that might exist out there at some virtual hosting or cloud provider, so the idea is probably not 100% foolproof, but it might be an adequate solution for those users who would like to get their initial certificate or remanence through port 443.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.