Dear ACME experts,
We are developing an ACME server to help our customers purchase and manage commercial certificates from us. Such automation is becoming more important now that the maximum validity period has dropped to 200 days and will eventually drop to 47. While we support free Let's Encrypt certs in various ways, we currently sell commercial certs only through our website. We resell them from https://www.thesslstore.com/, which sources them from the DigiCert and Sectigo CAs. Our ACME server is intended to be a wrapper around the existing reseller API provided by The SSL Store for certificate provisioning, allowing customers to use standard clients like certbot and simple-acme to purchase and reissue certs from us via External Account Binding. The issue I'm encountering is that when DNS validation is chosen, we get "challenges" that must be published via TXT records on the root domain name rather than the _acme-challenge sub-host. E.g. for a cert on example.com, the CA will require us to publish a TXT token on example.com, not _acme-challenge.example.com. Unfortunately, the ACME dns-01 challenge type seems to have no way for the server to tell the client not to prepend the conventional _acme-challenge label when publishing the TXT record. There is also no way for us to tell the client to publish a CNAME rather than TXT record, as required by Sectigo. This issue prevents us from completing the domain validation (DV) process via our reseller API, because the CA will not find the DNS record they're expecting. It's true that in most cases, we will control the domain's DNS, as we are the registrar of record and offer comprehensive DNS hosting; in that case, we could first validate the client's conventional _acme-challenge record and then turn around and publish the CA's requested record in the zone to complete validation on that side. But there will be cases where the customer uses a third-party DNS host, preventing us from publishing the needed record. Do you know of any way around this issue, or any future RFC ACME extension proposal that might help? I'm aware of the http-01 challenge type, but The SSL Store reseller API doesn't provide consistent support for HTTP validation across all cert products. Thanks, Jordan Rieger | Software Development Manager | Webnames.ca
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
