Hello,
Could you please offer a way to mark a domain name (via DNS) as ok to validate wildcard via HTTP? Live updating of DNS is extremely impractical for me.
Thanks!
James
âWhy not HTTP validationâ was already covered there: Wildcard Certificates Coming January 2018
1 Like
Right. Thatâs why I am suggesting marking âcontrol of *.xyz.com is by the person who controls xyz.com HTTPâ via DNS.
The ACME working group is working on a CAA extension that can be used to tell CAs which validation methods are permitted for a domain, including a separate âissuewildâ property for wildcard identifiers. It would be possible to relax the DNS validation requirement for domains with a CAA record indicating the HTTP method should be permitted.
Itâs unlikely that such a change would be considered for the initial release, but the wildcard announcement mentioned that other options will be considered in the future, so itâs definitely not out of the question at some point in the future.
3 Likes
Indeed, using dns-01 method is not a good option in cases where you want to provide Letâs Encrypt support in widely distributed servers which have to run mostly autonomous.
It would be very simple to support http-01 based validation for requesting wildcards like *.aa.bb.cc from a specific server, xx.yy.zz, either separately or together with the serverâs own certificate (i.e. where the certificate includes both xx.yy.zz and *.aa.bb.cc).
All it takes is that the owner of bb.cc domain creates a DNS TEXT record which looks something like this (note: it is actually âwildcardâ rather than â*â):
âwildcard.aa.bb.ccâ TEXT âacme@xx.yy.zzâ
âwildcard.acme.aa.bb.ccâ TEXT âxx.yy.zzâ
or whatever will suit the ACME server best.
This designates that host xx.yy.zz is allowed to request certificate for â*.aa.bb.ccâ via the ACME protocol (using whatever method is already supported by the ACME protocol).
I think this would work out-of-the-box with most of the existing clients using the http-01 method, as it is only the server which needs to perform the extra DNS check.
Could something like this be added to Boulder soon to let wildcard support benefit from the âautonomous server friendlyâ http-01 protocol ?
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.