> These third party services do have an option that would avoid the need for their users to add a second CNAME: they could use the HTTP or TLS SNI challenges. This would require extra engineering work, as they would need to coordinate the installation/configuration of ACME challenge responses across a fleet of servers as opposed to changing a DNS record.
Also, Let's Encrypt currently supports HTTP redirects. So a service provider could set up a static redirect on all their frontends from /.well-known/validation/<foo> -> acme-validator.serviceprovider.net/foo. If acme-validator is assumed to be less widely distributed than the general-purpose frontends, it would be easier to update quickly. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
