Thanks for the replies. I do not plan to make this general behaviour, maybe as
an opt-in by an admin.
Cheers, Stefan
> Am 16.07.2019 um 20:39 schrieb Jacob Hoffman-Andrews :
>
>
>> At 11:55 16/07/2019 Tuesday, Stefan Eissing wrote:
>>> A user of my Apache ACME client asked about a feature whe
At 11:55 16/07/2019 Tuesday, Stefan Eissing wrote:
A user of my Apache ACME client asked about a feature where the security
implications are not clear to me:
- he has several server instances that may receive the CA's http-01 challenge
request. He therefore would like all servers to answer
i have all the sites 301 redirect .well-known/acme-challenge/ to
http://the-one-name-running-acme-client/.well-known/acme-challenge/
thus sites distributed across many physical servers and ones like
https://blah.com that normally 301 to https://www.blah.com all validate
At 11:55 16/07/2019 Tue
Hiya,
On 15/07/2019 17:00, Ted Hardie wrote:
> Howdy,
>
> A reply in-line.
>
> On Sun, Jul 14, 2019 at 2:07 PM Stephen Farrell
> wrote:
>
>>
> So, if I were personally configuring a similar system, I would avoid
> ..well-known, because it makes the information available to anyone who polls
>
Hiya,
On 15/07/2019 18:30, Jacob Hoffman-Andrews wrote:
> This seems like a clever idea! As Ted said, .well-known probably isn't
> the right directory for it. If you put something in .well-known, that
> suggests you plan to standardize it and register it with IANA.
Sure, I'm not scared of .well-
>
> I get that; what I’m looking to confirm--and I’m reasonably sure is the
> case--is that, given a failed order, it’s up to server policy to spell out
> whether a client may reasonably suppose that a 2nd order against a subset
> of the identifiers from the 1st order would pass all of the 2nd set
I get that; what I’m looking to confirm--and I’m reasonably sure is the
case--is that, given a failed order, it’s up to server policy to spell out
whether a client may reasonably suppose that a 2nd order against a subset of
the identifiers from the 1st order would pass all of the 2nd set of auth
>
> So if we tell the human operator, “Jane & Pat gave the OK, but Fred said
> not”, then it’s left to server policy to determine whether that means a
> hypothetical order with just one or the other domain would pass all authzs?
No, if the server returned three authorizations all three must be
st
> On Jul 16, 2019, at 9:28 AM, Daniel McCarney wrote:
>
> So it would be reasonable for this order to contain a single authz … and
> would that authz’s identifier be just “example.com”, then? Thus that authz
> object would not reference “www”, even though it is that domain’s
> corresponding a
>
> So it would be reasonable for this order to contain a single authz … and
> would that authz’s identifier be just “example.com”, then? Thus that
> authz object would not reference “www”, even though it is that domain’s
> corresponding authz object? Or would a client be accountable for
> implemen
A user of my Apache ACME client asked about a feature where the security
implications are not clear to me:
- he has several server instances that may receive the CA's http-01 challenge
request. He therefore would like all servers to answer to all challenges like
the solution proposed by acme.sh
11 matches
Mail list logo