Hi, While implementing ACMEv2 for Let's Encrypt, I noticed that wildcard certificates can only be obtained via dns-01. Because it's not possible for me to do that automatically, I proposed them a way to do it via http-01. After they said that 'it might work', they told me to contact you about this.
My idea is that when a client requests a wildcard certificate (*.domain.tld), the CA server offers a challenge and requests that challenge via HTTP while using a random hostname (<long random string>.domain.tld). Because only a webserver with a website configured for *.domain.tld and with a properly configured DNS can respond to this challenge, it's enough proof that the request for a wildcard certificate is valid. Perhaps the CA server can do multiple requests with a new randomly chosen hostname for more proof. After all, they will all end up at the same website. The discussion about this at the Let's Encrypt forum can be found here: https://community.letsencrypt.org/t/wildcard-certificates-via-http-01/51223 I really like to hear your thoughts about this. Kind regards, Hugo Leisink _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
