On Sun, Jan 15, 2017 at 02:50:37PM +0100, Dirk-Willem van Gulik wrote: > W.r.t. http-acme — as far as I understand; the current 0.4 draft > (https://tools.ietf.org/html/draft-ietf-acme-acme-04) has the Well known > fetch going to port 80: > > Section 7.2, page 47 > > 3. Dereference the URI using an HTTP GET request. > > This request MUST be sent to TCP port 80 on the server. > > The new draft: (https://letsencrypt.github.io/acme-spec/ also numbered > '04') in section 7.1 ‘Simple HTTP’, does a 180 degree change on this > ‘default’: to an httpS default with an option to explicitly move it to > HTTP with: > > "tls": false / false
That's not a new version. It is pre-WG version, published about 1.5 years ago. The reason HTTPS support for HTTP authentication was removed was that many webservers handle HTTPS in odd manner, making alphabetically first HTTPS vhost the default, which would let one get certificates for vhosts one should not. Currently in acme spec, the only ways to do verification without port 80 are TLS-SNI-02 (uses port 443) and DNS-01 (no connections at all, relies on DNS exclusively). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
