Erik Nygren <[email protected]> wrote: > One of my colleagues recently pointed out a potential interaction between > HTTPS RRs (RFC 9460) as it relates to ACME and HTTP-01 DV. If a hostname > get an HTTPS RR into DNS prior to getting a cert validated, then there > would be a problem if the ACME client resolved the HTTPS RR and > auto-upgraded the http:// URI to https as part of HTTP-01 DV. Since a cert > won't exist yet this would fail.
That seems like a bad thing for an ACME server to do.
It's an http-01 challenge, not an https-01 challenge.
It shouldn't be updating. ACME servers doing dns-01 challenges already take
special care to avoid caching, so they should also pay attention to ignore
HTTPS RRs
> How would we want to clarify this? It's probably too big for an errata
for
> RFC 8555 but annoying to have to have a draft just to clarify all on its
> own. If there are plans to do an rfc8555bis (or anything else Updating
> rfc8555 for HTTP-01) this could be good to include in there.
> The reading of RFC 8555 section 8.3 is fairly clear that:
> Dereference the URL using an HTTP GET request. This request MUST be sent
to
> TCP port 80 on the HTTP server
I don't think it's too big for an errata.
"When doing http-01 challenges, ignore HTTPS RRs"
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
