Validate multiple subdomains in separate requests

I’m trying to validate multiple subdomains in a Ruby app by doing something like this in my routing

  get ".well-known/acme-challenge/#{ ENV["ACME_TOKEN"] }"     => proc { [200, {}, [ ENV["ACME_KEY"] ] ] }

The idea is that I would get the key/value for my main domain and set the values on Heroku (which restarts the app) then I get the key/value for my www subdomain and set the values. I continue to do this for each of my subdomains.

It initially works, letsencrypt gives me a key/value and says everything is fine, lets me move to the next domain, and continues for all domains. However at the very end, it appears that it re-checks ALL the key/value pairs, which fails since I only have the last endpoint running on my app. Is this a hard limitation of letsencrypt or is this an implementation detail I could maybe work around in a custom client? Being able to validate 1 subdomain at a time would be very convenient to me.

Awfully quiet in here.

Could you provide some more details about exactly how you’re requesting the certificate, which client you’re using, what error you’re seeing, etc.?

On a protocol level, there’s an authorization object for every domain. A client picks one of the offered challenge types (in your case http-01), makes sure that the challenge request will succeed and then informs the CA that it is ready to solve the challenge. At that point the client can start polling the server for the authorization object. The authorization object has a status field, with the initial value being pending. The challenge file will need to stay up until this value changes to valid - not just until after the first request or anything like that, there’s nothing saying it’ll only be one request per challenge.

You might also be interested in this low-level Ruby library for ACME: https://github.com/unixcharles/acme-client

Thank you for the link to the ruby library, writing the library, and thanks for your response.

I’m using the GO acme client in another app that a token to make changes on my primary app.
I see this is the verification process in from the readme:

challenge.request_verification # => true
challenge.verify_status # => 'pending'

# Wait a bit for the server to make the request, or just blink. It should be fast.
sleep(1)

challenge.verify_status # => 'valid'

I’m fine with multiple http calls to verify a cert, but I guess what i’m looking for is a way to call

challenge.request_verification # => true

Once for each subdomain. So I can independently verify all my subdomains one by one.

The challenge object belongs to one specific authorization (and therefore one domain):

authorization = client.authorize(domain: 'example.org')
challenge = authorization.http01
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.