Re: [Acme] Support for domains with redundant but not immediately synchronized servers

(Picking up an old thread) > >> There's a fairly good solution available with the current > >> protocol, which is to serve a (long lived) redirect from > >> /.well-known/acme-challenge/ on all of the servers to a > >> different URL that is always answered by the machine you run an > >> ACME client

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09.02.2016 14:53, Michael Wyraz wrote: > Hello Jonas, >> >>> IMO a better way to support your scenario as well as those I >>> described above would be to check for an SRV-Record before >>> checking A-Records. This would be 100% compatible

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 21.01.2016 15:13, Salz, Rich wrote: > >> I am not at all familiar with the processes in an IETF WG. What >> is the way forward to get my proposal either into the protocol or >> officially dismissed? > > This is the way it works. :) People

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello Michael, (re-sent to include the list, sorry for the noise, Michael) On 09.02.2016 11:52, Michael Wyraz wrote: > thank you for the proposal. I think addressing such setups is a > good idea. Thank you for your feedback! > The solution you

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

Hello Jonas, > > > IMO a better way to support your scenario as well as those I > > described above would be to check for an SRV-Record before checking > > A-Records. This would be 100% compatible with existing acme http-01 > > clients. In your case you would resolve the SRV record to the > >

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

Hi Jonas, > So if I understand this correctly, the ACME client would have to set > (or modify) the SRV records in such a way that the host which is > currently running the client is the one with the highest priority? > This sounds like you could just use the DNS challenge, right? > > And it is a

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, On 07.12.2015 01:32, Manger, James wrote: >>> Ideally, it [Let's Encrypt] would use the IP of the requester >>> (of course only after it has verified that the IP is in the >>> DNS) or allow the requester to specify a preferred IP. >

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

>> Ideally, it [Let's Encrypt] would use the IP of the >> requester (of course only after it has verified that the IP is in the >> DNS) or allow the requester to specify a preferred IP. This is quite a sensible feature request from Jonas. It supports multiple servers for a domain while

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

There's a fairly good solution available with the current protocol, which is to serve a (long lived) redirect from /.well-known/acme-challenge/ on all of the servers to a different URL that is always answered by the machine you run an ACME client on. Are there any cases where that is sufficiently

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

This seems to be a common problem, so I opened a PR that someone on that project can merge. On 4 December 2015 at 08:08, Salz, Rich wrote: >> Should I open an issue on the protocol draft repository? (Which I assume is >> at [1]) >> [1]:

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

On Fri, Dec 4, 2015 at 12:46 AM, Peter Eckersley wrote: > There's a fairly good solution available with the current protocol, > which is to serve a (long lived) redirect from > /.well-known/acme-challenge/ on all of the servers to a different URL > that is always answered by the

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

> Is such a thing planned? Are there security reasons against doing > this? Are there security reasons against doing this on a DNSSEC signed > domain (which klausurschokola.de is)? Personally, I wouldn't think it unreasonable to allow an ACME client to request that a specific IP be used for the