[Cryptography] Apple's 13-month certificate policy
Michael Kjörling
michael at kjorling.se
Sun Feb 23 06:37:30 EST 2020
On 22 Feb 2020 23:04 -0800, from jmg at funkthat.com (John-Mark Gurney):
>> Correct me if I'm wrong, but my ACME api can't automate the auto-renewal
>> for my email server if it doesn't have a web port open, or my HP ILO
>
> That's when you use DNS TXT records. No need to open a web port for the
> challenge.
Alternatively, certainly Certbot has its built-in web server
functionality, and you can use its --pre-hook and --post-hook to punch
a temporary hole in the firewall for port 80 for the few seconds that
the validation process requires. I'm not sure about other ACME
clients, but I suspect they have similar functionality as well.
DNS TXT authentication nicely bypasses the need for such host-local
changes, but if for some reason you can't (or don't want to) use that,
then the above is a possible alternative that doesn't require running
a full-time fully-functional web server on the host in question,
thereby significantly reducing the attack surface.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
More information about the cryptography
mailing list