On Wed, Sep 23, 2015 at 09:16:46PM -0700, Andrew Ayer wrote: > > I am OK with dropping the TLS option for "simpleHttp" validations. > > (We can always make SimpleHTTPS later.) > > One annoying implication with dropping the TLS option is that it makes > it difficult to complete the SimpleHTTP challenge when your HTTP site > redirects to HTTPS, as best practice dictates. You'd have to > special-case an exception to allow the challenge response to be served > over HTTP (this is annoying to do in Apache). > > This isn't a problem if the ACME server follows redirects when > validating the challenge. The draft doesn't currently require or > forbid following redirects, so implementations will probably end up > doing whatever their HTTP client library does by default.
Boulder does indeed follow redirects, so that's our current plan. I don't think it would be a problem to require following them, or at least N layers of them. > Could we require the ACME server to follow redirects as long as the > only change in the URI is the scheme? This should be safe since, > presumably, the web server would only be configured to serve such a > redirect if an HTTPS virtual host for that hostname was configured. -- Peter Eckersley [email protected] Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
