Hi,
LE issues wildcard certificates using the DNS-01 validation method.
LE now issues IP certificates using http-01 or tls-alpn-01 validation methods.
Is there a way to have a certificate containing both? How would validation be done?
Thanks
Server side client can select challenge type independently. Most client doesn't support such config in general: only think I can think now is uacme because it defer challenge select/solve to user crafted script
2 Likes
Yes, each name on the certificate can use a different validation method. Some clients may make it trickier to do than others. But like, acme.sh's documentation shows you can specify the authentication method after each name. I don't think certbot handles it. But there are plenty of ACME clients other than certbot.
5 Likes
Thank you for you input! I'm using certbort with the manual plugin. IP addresses are not yet supported, but they are working on it. Will see if this allows to use different validation types for a single CSR - ideally certbot will use http or DNS based on the requested host.
1 Like
Hi - Just to give you an update: A new version of certbot was released and I got a certificate from LE staging with an IPv4,IPv6,DNS and wilcard as part of the SAN using the manual plugin.
1 Like
That doesn't sound practical to do every 3-4 days for your shortlived cert. How do you plan to automate that?
3 Likes
Hi,
I use the manual plugin and have set the --manual-auth-hook. The script places the HTTP challenge in the folder and makes the DNS change for the DNS challenge. This makes the process non-interactive and therefor feasible.
4 Likes