off topic and possibly inappropriate introduction but i can see a potential issue in our (and others) future when it comes to using acme/letsencrypt SAN certs in a CDN environment
as before we get to actual subdomains running separate sites we tend to ave a minimum of (on our current cdn/reverse proxy) example.com <usually a redirect to www www.example.com <usually the html content static.example.com <usually the images/videos anything where dropping cookies by using a different name improves throughput and allows us to use extended caching this is a minimum per customer, some obviously have many differentiated subdomains support /shop etc etc but by allowing the possibility of wildcards we could at least reduce by 2 thirds the names needed on a single cert many many more on certs for our submission and pop3(tls) servers where we currently use CA certs as customers connect to customerid.smtps.orionnetworks.com or customerid.pop3a.orionnetworks.ie and the non-trusted by default is not a major issue as our certs cover just *.smtps.orionnetworks.com port 587 or *.pop3a.orionnetworks.ie where customerid is not a wildcard in dns (but could be during verification), we use this so when a customer is gone we can also kill the dns and stop seeing the attempted logins from their gmail/hotmail/other provider where they never clean/remove dead pop3/smtp accounts i would propose for either http or dns verification requiring at least a temporary wilcard in dns then for the verification server to either lookup http://random-generated.domain.tld/.well-known/acme-challenge/challenge-string dns verification is trickyer but could require instead of _acme-challenge.example.com. 300 IN TXT "token" _acme-challenge.challenge-string.example.com. 300 IN TXT "token" for example or _acme-challenge._wildcard_.example.com. 300 IN TXT "token" or to demon straight ability to create wildcards random-generated._acme-challenge.example.com. 300 IN TXT "token" as this would require the applicant setup *._acme-challenge.example.com. i hope this is the right place if not please feel free to redirect me, as either way acme is a huge leap forward in cert issuance and improving reliability through automation _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
