tls-sni-01

[AlexUrbanAc]

Is it possible and planned to support "tls-sni-01" authentication mode? I have to admit that I am not sure what that exactly is, it is just a buzzword I collected from this answer to my main problem:

https://community.letsencrypt.org/t/i-dont-have-http-ftp-or-webdav-is-authorization-via-https-possible/14259/2

[ebekker]

I do plan on adding support for it eventually, but it doesn't seem to be a common use case as yet, so it's low priority. As per the LE community forums, is the DNS challenge an option for you?

[AlexUrbanAc]

I cannot reliably automate that, since our DNS entries have to be made via the ISP's website - no public API available. I guess I'll stick to a paid certificate for now.

2016-04-20 22:14 GMT+02:00 Eugene Bekker notifications@github.com:

I do plan on adding support for it eventually, but it doesn't seem to be a common use case as yet, so it's low priority. As per the LE community forums, is the DNS challenge an option for you?

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/ebekker/ACMESharp/issues/122#issuecomment-212585048

[ThomasCr]

I also like to see this feature, because many private webservers are only reachable with https. Open port 80 would allow more internet scanners to scan for vulnerabilities. Or whatever reason we have not to open port 80 ;-)

[christophvw]

I have the same problem. All my server are accessible over https only and I cannot automate the creation of the DNS records.

[VirgoCluster]

we need sni too. we often use port 80 to redirect to https, so we ned to add rules to not redirect ".well-known/acme-challenge" for http-01 challenge. This becomes a bit complex. We also have other complex FW setup where we are not able to open port 80. Using sni would "allways" work because port 443 is already open to the server.

[Marcus-L]

A basic implementation for tls-sni-01 support in ACMESharp is in PR #295, I have some additional changes in WouterTinus/ACMESharp#1 that would also be good to merge into the PR.

[Marcus-L]

For anyone still waiting for the tls-sni-01 challenge PR #295 to be looked at, you can start tls-sni-01 today via Certify the Web (which is using my fork of ACMESharp while the PR is in review). The tls-sni-01 challenge is a great option if you only have HTTPS open on your firewall/IIS setup.