Closed OlafLostViking closed 5 years ago
Hi Olaf, interesting request (I wasn't even aware of these features). At this point I'm not sure if LE will sign a certificate with these entries, and if so, how I would go about authenticating them. I've opened a discussion on the LE forum, let's see how that goes...
This probably isn't possible in the near (or far) future. From RFC8555 (the ACME specification):
The only type of identifier defined by this specification is a fully qualified domain name (type: "dns").
Thank you both for checking! What a pity - but understandable: While I don't yet fully understand why the checking wouldn't be possible using the DNS challenge, I get the comment in the forum's post that the CA baseline requirements simply forbids it.
Hi, Peter!
Some services make use of more alternative names than just the DNS name. One of these services is f.ex. XMPP which uses
id-on-xmppAddr
andid-on-dnsSRV
according to RFC6120. At the end of the message I provided an example that prosody generated automatically for a self-signed certificate.It'll be great if
acmebot
could take a flag to add all XMPP attributes to a request or - which is more work for the user but also more flexible - allow to specify further OIDs to be included.Thanks :)