Ted Hardie wrote: > There was discussion about registering a port specifically for ACME > challenges, so that a running server on 80/443 did not have to be > changed during the challenge. That would be a privileged port, and > we could define the semantics for the challenges there to be similar > to the 443 challenge (essentially a TLS-based challenge on a > different, well-known port). > > I did not see consensus for this approach, but I also didn't detect > the same opposition to it that other approaches attracted. If folks > are interested in supporting this approach, I'd suggesting writing a > draft which describes the challenge and proposes registration; that > would give us a more concrete understanding of whether the effort to > support this would be appropriate for the number of installations > which would use it. > > regards, > > Ted
This may not be required. Let's take a step back and look at the faced problem: - The ACME challenge (currently) requires the client to listen on 80 or 443 - On that server there is already a process listening there. - The web server cannot be reconfigured to provide the file inside .well-known - The sysadmin doesn't want to stop the server while acquiring a certificate. Listening on another port solves it, albeit it raises the authorization concern. Control of a port < 1024 will _probably_ be safe. However, there's an even simpler way: redirect the request using the firewall. This way the client (or sysadmin manually following the steps) doesn't need to edit the web folder, stop the service or even use that machine if there's an intermediate box (such as a firewall or reverse proxy) where it can be mapped. The command to use is highly dependant on the underlying OS: iptables on Linux, ipfw on Mac/Bsd, etc. but nothing that couldn't be checked by the script or provided in a well-documented list for the network admin. The only additional requisite to provide this on the client would be for the CA to report the subnet (typically a /32 or /24) that from which it will be verifying the challenge. AFAIK that's not currently provided in the challenge. The CA would be asserting that it is in control of that address space and the only connections from them to $domain on the next $seconds will only be used for challenge completion. The actual command will be different for Linux, than Solaris, than Cisco… but pretty much any decent box in front of a system that can't have downtime will support this, even if it only has a limited web interface. The OS where this would be more problematic is Windows, as I don't recall it having the ability to do that built-in (the most similar feature seem to be netsh netproxy). However, it's also the OS where any logged-in user can open any port, and thus wasn't properly addressed by the “use a port < 1024” approach, either. Best regards _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
