> By issuing a single certificate with Subject Alternate Names to cover
multiple domains, LetsEncrypt can leak the IP of an origin server that is
behind a service such as Cloudflare. This increases the risk of DDOS attack.
I echo Hugo and Rich's position that ACME is the wrong place to solve this
> By issuing a single certificate with Subject Alternate Names to cover multiple
> domains, LetsEncrypt can leak the IP of an origin server that is behind a
> service such as Cloudflare. This increases the risk of DDOS attack.
LetsEncrypt isn't ACME. ACME is an IETF protocol, based on the initial
It's completely up to you how you lump SANs into one or more
certificates. You can divide them up as you like. The ACME protocol
doesn't limit you in this regard.
___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
Summary:
By issuing a single certificate with Subject Alternate Names to cover multiple
domains, LetsEncrypt can leak the IP of an origin server that is behind a
service such as Cloudflare. This increases the risk of DDOS attack.
Scenario:
1. I run a VPS that, through Apache Virtual Hosts, s