The certificates are not required to be generated exclusively on the host
that supports the website. Can you elaborate if there are any concerns
regarding the implementation of issuance delegation? An alternative
approach might involve creating another internal system to manage
certificate lifetimes, subsequently distributing the certificates and keys
to the designated machines.
On Tue, Mar 28, 2023 at 10:23 PM 涛叔 <h...@taoshu.in> wrote:
> Hi,
>
> The current ACME specifies the port used for HTTP Challenge and ALPN
> Challenge.
> For HTTP, it's 80, and for ALPN, 443.
>
> This requirement is needed only for shared web host. Because if we do not
> required
> using such standard 80/443 port, the normal user could gain the
> certificate for
> the web host domain, which is not under their control. But if they can
> bind to 80/443
> which requires the root permission, it means they must be the
> administrator, and have
> the permission to sign certificate for this domain.
>
> This works well until in some county in which the standard 80/443 is
> blocked without
> license. In such regions, people can only use the non-standard port to
> communicate.
> It is impossible to finish the standard HTTP or ALPN Challenge. So all the
> device
> running in such region can not utilize ACME to sign certificate.
>
> Someone may argue that these devices can use the DNS Challenge, it do
> works. However,
> there are so many legacy devices only support HTTP Challenge which will
> not gain any
> firmware upgrade.
>
> So I wondering if we could design some new method to let ACME works for
> these devices.
>
> In my opinion, we can introduce a new DNS label like _acme_http_port and
> provide a
> TXT record to specify the non-standard port to be used. For example,
>
> _acme_http_port.www.example.com 300 IN TXT "8080"
>
> For ALPN Challenge, the label maybe _acme_alpn_port,
>
> _acme_alpn_port.www.example.com 300 IN TXT "4430"
>
> When the ALPN validator receive the certificate request, instead of just
> use the fixed
> port of 80/443, it first query the _acme_{http,alpn}_port.* from DNS, and
> then use the
> port port from the TXT record. If their is no such record, the server
> fallback to use
> the 80/443 port.
>
> By this way, only the validator need to be changed, and all the legacy
> device will work.
>
> Please offer your comments.
>
> Thanks
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
