Mixed Domain Validation types: http01 + DNS

hosseinsh · October 9, 2020, 12:06am

Dear Let's Encrypt team and community,

we are using the acme-python plugin within our Certificate Management Service. We support DNS as the main domain validation type, and starting to also support http01 validation.

I was wondering, if a SAN certificate request would be able to mix the validation types for each of the domains.

This would be required to support wildcard domains within the SAN, where we need to use the DNS validation method.

The order usually looks something like this, where each authorization contains all supported validation types:

{
  "status": "pending",
  "expires": "2020-10-08T20:54:46Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain2.com"
    },
    {
      "type": "dns",
      "value": "domain3.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/#identifier",
    "https://acme-v02.api.letsencrypt.org/acme/authz/#identifier",
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/#account/#identifier"
}

First Authorization

{
  "identifier": {
    "type": "dns",
    "value": "domain2.com"
  },
  "status": "pending",
  "expires": "2020-10-08T20:54:46Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/#identifier",
      "token": "#TOKEN"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/#identifier",
      "token": "#TOKEN"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/#identifier",
      "token": "#TOKEN"
    }
  ]
}

griffin · October 9, 2020, 12:23am

Welcome to the Let's Encrypt Community, Hossein

You can authorize any challenge you like that is presented for an identifier. Mix and match away. No need to use more than one type for any given identifier. Once a challenge of any type is validated for an identifier, the validation is usually cached for 30 days for that identifier for the ACME account that submitted the order. This might save you a lot of headache wondering why authorizations are already validated between orders that share an identifier.

Please be aware of the rate limits and use the staging servers for testing.

hosseinsh · October 9, 2020, 7:51pm

thank you Jonathan for the insight and shared links.

system · November 8, 2020, 7:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.