Comments (6)
incentive # 2: it's also very inconvenient for testing the script.
from certbot.
@dnozay ptal #63 (comment) and #63 (comment)
@jdkasten, this probably needs a FAQ entry :)
from certbot.
Thanks @kuba! I will figure out a good place to put this information.
from certbot.
You wouldn't need root
if you have sudo
access, or if the server is already configured to pickup keys from a specified location you have access to.
- is there anything similar to wildcard certs supported?
- why is port 443 necessary? arguably, if i'm using puppet, i know what the host key is going to be, then maybe a challenge can be arranged based on that fact.
- can we isolate the parts that require
root
and usesudo
instead, or use something likefabric
and have a target host / target host(s).
from certbot.
Hi Damien!
Thanks for your interest in the project! I will do my best to answer your questions.
Yes, you just need superuser access to perform the domain validation challenges. The goal of the protocol is to prove complete authority over the webserver, port 443, the standard port for HTTPS.
The current challenges are defined at the end of this document. The client must be able to satisfy them in order to receive a DV certificate.
- We will be supporting domain validation (DV) certificates with subject alternative names. In reference to wildcard certificates see #66.
- We need to verify authoritative control over the port used for standard HTTPS communication. This is a protected port, and represents the service we are currently trying to validate. These challenges prove the exact level of control as the authorization issued by the certificate. The "client" has complete and arbitrary control over the port.
I saw you posted a question on the acme-spec document about having knowledge of the ssh host key (which is the correct place for such a question). I would be hesitant to implement such a challenge. The only benefits I see is if you allowed the challenge to be off-path via a remote proof-of-possession challenge (which would not be sufficient for issuance and would allow attackers who compromised the key to remotely obtain certificates). However, discussion should be on the protocol spec. In general, ACME challenges are designed to be strictly stronger than the status quo. I believe a host key challenge would involve additional and unnecessary attack vectors. See #47 for more info. - Running the script is the same level of privilege required to make configuration changes to existing webservers and restart the servers (to implement the changes). If you would like to extend the client to support mass system administration, that would be excellent! Currently, we are still locking down the functionality of the core components and abstracting out the API.
Hopefully, I answered your questions. If you have any other client questions, feel free to ask.
from certbot.
This conversation has transitioned to other forums.
from certbot.
Related Issues (20)
- Custom DNS server for domain resolution only without DNS authentication HOT 2
- Investigate nightly CI failures HOT 1
- --no-auto-renew flag results in manual renew failure with misleading error message HOT 1
- How do I fix Some challenges have failed. HOT 1
- Revocation Reason Should be Requested HOT 1
- Support for Angie (nginx) HOT 2
- certbot-dns-ovh: old DNS entries are not removed, leading to a renewal failure HOT 3
- snapcraft builds: rewrite build_remote.py to be resilient to snapcraft output changes
- upgrade dependencies
- upgrade openssl in our docker images
- stop releasing the windows installer HOT 2
- Look into replacing Boulder tests w/ Pebble tests (or removing it entirely) HOT 4
- live/example.com is not updated atomically HOT 1
- 'dict' object has no attribute 'newNonce'
- Support for mismatched domains for DNS-01 Providers (For CNAME setups) HOT 1
- certbot raises AttributeError("can't set attribute") when it means "too many failed authorizations" HOT 3
- Please prevent old versions of Certbot from appearing in Debian/Ubuntu apt HOT 2
- I m getting the same error i have done everything correct but still don;t know whats wrong ? HOT 1
- Feature Request: Add file extensions to the ACME challenge files
- Feature Request: Add a .txt file extension to the ACME challenge files HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certbot.