The validation certificate should only ever be served for requests that negotiate the amce-tls/1 application protocol, which browsers or equivalent user software should never do. This allows the server (or load balancer) to continue serving normal traffic to users while also serving validation traffic to the ACME server.
> On May 25, 2018, at 8:09 AM, Ben Sykes <ben=40bensykes....@dmarc.ietf.org> > wrote: > > Hi there, > > Having read through the draft spec, I have a concern over certificate > renewals. > As I read it, the server would have to temporarily use a customized > self-signed certificate while the check is pending.. Won't this mean any > regular user connecting to that server over TLS at the time be presented with > the self-signed certificate? This would manifest as downtime for the service. > Is there a provision for renewal using this method? > > Thanks, > Ben > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme