HTTP-based verification for wildcards

JamesB · November 29, 2017, 4:29pm

Hello,

Could you please offer a way to mark a domain name (via DNS) as ok to validate wildcard via HTTP? Live updating of DNS is extremely impractical for me.

Thanks!
James

mkwm · November 29, 2017, 4:44pm

“Why not HTTP validation” was already covered there: Wildcard Certificates Coming January 2018

JamesB · November 29, 2017, 5:07pm

Right. That’s why I am suggesting marking ‘control of *.xyz.com is by the person who controls xyz.com HTTP’ via DNS.

pfg · November 29, 2017, 6:13pm

The ACME working group is working on a CAA extension that can be used to tell CAs which validation methods are permitted for a domain, including a separate “issuewild” property for wildcard identifiers. It would be possible to relax the DNS validation requirement for domains with a CAA record indicating the HTTP method should be permitted.

It’s unlikely that such a change would be considered for the initial release, but the wildcard announcement mentioned that other options will be considered in the future, so it’s definitely not out of the question at some point in the future.

kimsto · December 2, 2017, 11:50pm

Indeed, using dns-01 method is not a good option in cases where you want to provide Let’s Encrypt support in widely distributed servers which have to run mostly autonomous.

It would be very simple to support http-01 based validation for requesting wildcards like *.aa.bb.cc from a specific server, xx.yy.zz, either separately or together with the server’s own certificate (i.e. where the certificate includes both xx.yy.zz and *.aa.bb.cc).

All it takes is that the owner of bb.cc domain creates a DNS TEXT record which looks something like this (note: it is actually “wildcard” rather than “*”):

“wildcard.aa.bb.cc” TEXT “acme@xx.yy.zz”
“wildcard.acme.aa.bb.cc” TEXT “xx.yy.zz”

or whatever will suit the ACME server best.

This designates that host xx.yy.zz is allowed to request certificate for “*.aa.bb.cc” via the ACME protocol (using whatever method is already supported by the ACME protocol).

I think this would work out-of-the-box with most of the existing clients using the http-01 method, as it is only the server which needs to perform the extra DNS check.

Could something like this be added to Boulder soon to let wildcard support benefit from the “autonomous server friendly” http-01 protocol ?

system · January 1, 2018, 11:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.