I think there are a few possible approaches to domain validation for hostnames that resolve to multiple IP addresses:
1) It is sufficient to deploy a challenge response on any IP address. 2) The challenge response must be deployed on all IP addresses. 3) The server tries one deterministic IP address and succeeds or fails based on whether the challenge is deployed there. Let's Encrypt currently does (3), but it's probably the worst of both worlds and we should fix it. Arguably (2) is the most secure, since a single-machine compromise isn't sufficient to issue a certificate. And (1) is the easiest and most user-friendly. I think it's also similar to existing practice in the wild. Jonas, security-wise your proposal is equivalent to (1). Rather than adding a preferred IP address to the spec, why not specif that ACME servers SHOULD implement (1)? Alternately we could state in the spec that the choice of IP is a policy choice of the CA, and lay out the two most reasonable options (1 and 2). On 11/30/2015 09:17 AM, Jonas Wielicki wrote: > Hi list, > > I have asked this in the IRC and was pointed to this mailing list. I > tried to get a certificate for klausurschokola.de via Let’s Encrypt > during the currently running limited beta (we have the domain > whitelisted). The name has the following address records: > > 1800 IN A 176.9.101.187 > 1800 IN A 217.115.12.71 > > (in addition, there is one AAAA record for each of the machines > addressed by the A records) > > As you can see, two different machines are addressed. Those are > physically separated machines with different main administrators. > Both are pulling their web content from the same source, but it is not > supposed to be dynamic, so there is no "fast" (order of seconds) way > to mirror the content. > > Our wish would be to be able to use different private keys and > certificates for both hosts, and renew these independently from the > other host. We thought that this would be possible using Let’s Encrypt. > > The problem is that currently, the Let’s Encrypt server sometimes > chooses the wrong of the two IPs to ask for the file in > /.well-known/acme-challenge. Ideally, it would use the IP of the > requester (of course only after it has verified that the IP is in the > DNS) or allow the requester to specify a preferred IP. > > For example, on 176.9.101.187: > > # letsencrypt certonly -c ~/schoko.ini -d klausurschokola.de -d > www.klausurschokola.de > > [… curses …] > > Failed authorization procedure. klausurschokola.de (http-01): > unauthorized :: The client lacks sufficient authorization :: Invalid > response from > http://klausurschokola.de/.well-known/acme-challenge/c5HJrtp8t8JhfNgTXVC > 8N7OsCrguAWGw-JTIJxCFeIQ > [217.115.12.71]: 404 > > > Is such a thing planned? Are there security reasons against doing > this? Are there security reasons against doing this on a DNSSEC signed > domain (which klausurschokola.de is)? > > best regards, > Jonas > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
