Hi all, I've been working on an ACME client acting as a TLS termination proxy. In order to retrieve wildcard certificates from the Let's Encrypt ACME servers, support for the dns-01 challenge is required.
dns-01 requires the ACME client to complete the challenge by updating a DNS record. This is bothersome because this often requires interacting with the DNS registry operator. This is typically done via vendor-specific APIs, with access control handled via vendor-specific means (tokens, public keys, etc). I understand that it's difficult for ACME clients to prove that they are authorized to obtain wildcard certificates. However, have other alternatives been considered? For instance, it would be possible to require users to add a short public key in a DNS TXT record, then ask the ACME client to sign challenges with that key. Something like this would significantly ease the development of ACME clients. Are there specific reasons why dns-01 requires updating a DNS record? Thanks, Simon Ser (CC mholt, I figured you might be interested in this for Caddy too) _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme