MoinQ:

1. Letsencrypt/challenge-types

1.1. HTTP-01 challenge

https://letsencrypt.org/ja/docs/challenge-types/ 日本語(訳)がおかしいので、英文にあたる。

https://letsencrypt.org/docs/challenge-types/

/HTTP-01 特定のHTMLファイルを作成できるかを検査する。

1.2. DNS-01 challenge

日本語の問題というより、考え方が違っていると思う。-- ToshinoriMaeno 2020-07-01 13:58:12

Let's Encryptが採用している方法では、特定のドメインをcontrol(制御)している証明にはなっても、 意図しているドメインを制御していることにはならない。(この違いが分からないひとが作成しているらしい。) -- ToshinoriMaeno 2020-07-01 14:02:16

This challenge asks you to prove that you control the DNS for your domain name
by putting a specific value in a TXT record under that domain name.

It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t.
It also allows you to issue wildcard certificates.

After Let’s Encrypt gives your ACME client a token,
your client will create a TXT record derived from that token and your account key, and
put that record at '''_acme-challenge.<YOUR_DOMAIN>'''.

Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!

Since automation of issuance and renewals is really important, it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates.

Our community has started a list of such DNS providers here. Your DNS provider may be the same as your registrar (the company you bought your domain name from), or it might be different. If you want to change your DNS provider, you just need to make some small changes at your registrar. You don’t need to wait for your domain to be close to expiration to do so.

Note that putting your fully DNS API credentials on your web server significantly increases the impact if that web server is hacked. Best practice is to use more narrowly scoped API credentials, or perform DNS validation from a separate server and automatically copy certificates to your web server.

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

Most DNS providers have a “propagation time” that governs how long it takes from the time you update a DNS record until it’s available on all of their servers. It can be hard to measure this because they often also use anycast, which means multiple servers can have the same IP address, and depending on where you are in the world you might talk to a different server (and get a different answer) than Let’s Encrypt does. The best DNS APIs provide a way for you to automatically check whether and update is fully propagated. If your DNS provider doesn’t have this, you just have to configure your client to wait long enough (often as much as an hour) to ensure the update is propagated before triggering validation.

You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it.

MoinQ: Letsencrypt/ACME/challenge-types (last edited 2021-11-17 22:28:33 by ToshinoriMaeno)