search

plinss / acmebot

Certificate manager bot using ACME protocol
GNU General Public License v3.0
115 stars 20 forks source link

[RFE] support XMPP (or further OIDs) #38

Closed OlafLostViking closed 5 years ago

OlafLostViking commented 5 years ago

Hi, Peter!

Some services make use of more alternative names than just the DNS name. One of these services is f.ex. XMPP which uses id-on-xmppAddr and id-on-dnsSRV according to RFC6120. At the end of the message I provided an example that prosody generated automatically for a self-signed certificate.

It'll be great if acmebot could take a flag to add all XMPP attributes to a request or - which is more work for the user but also more flexible - allow to specify further OIDs to be included.

Thanks :)

[subject_alternative_name]
DNS.0 = DOMAIN.TLD
DNS.1 = proxy.xmpp.DOMAIN.TLD
DNS.2 = upload.xmpp.DOMAIN.TLD
DNS.3 = pubsub.xmpp.DOMAIN.TLD
DNS.4 = rooms.xmpp.DOMAIN.TLD
DNS.5 = search.xmpp.DOMAIN.TLD
otherName.0 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-client.DOMAIN.TLD
otherName.1 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.DOMAIN.TLD
otherName.2 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:DOMAIN.TLD
otherName.3 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.proxy.xmpp.DOMAIN.TLD
otherName.4 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:proxy.xmpp.DOMAIN.TLD
otherName.5 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.upload.xmpp.DOMAIN.TLD
otherName.6 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:upload.xmpp.DOMAIN.TLD
otherName.7 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.pubsub.xmpp.DOMAIN.TLD
otherName.8 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:pubsub.xmpp.DOMAIN.TLD
otherName.9 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.rooms.xmpp.DOMAIN.TLD
otherName.10 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:rooms.xmpp.DOMAIN.TLD
otherName.11 = 1.3.6.1.5.5.7.8.7;IA5STRING:_xmpp-server.search.xmpp.DOMAIN.TLD
otherName.12 = 1.3.6.1.5.5.7.8.5;FORMAT:UTF8,UTF8:search.xmpp.DOMAIN.TLD

[distinguished_name]
countryName = DE
localityName = The Internet
organizationName = Your Organisation
organizationalUnitName = XMPP Department
commonName = DOMAIN.TLD
emailAddress = xmpp@DOMAIN.TLD

[req]
prompt = no
req_extensions = certrequest
x509_extensions = selfsigned
distinguished_name = distinguished_name

[certrequest]
subjectAltName = @subject_alternative_name
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth,clientAuth
keyUsage = digitalSignature,keyEncipherment

[selfsigned]
subjectAltName = @subject_alternative_name
basicConstraints = CA:TRUE
plinss commented 5 years ago

Hi Olaf, interesting request (I wasn't even aware of these features). At this point I'm not sure if LE will sign a certificate with these entries, and if so, how I would go about authenticating them. I've opened a discussion on the LE forum, let's see how that goes...

osirisinferi commented 5 years ago

This probably isn't possible in the near (or far) future. From RFC8555 (the ACME specification):

7.1.4. Authorization Objects

The only type of identifier defined by this specification is a fully qualified domain name (type: "dns").

OlafLostViking commented 5 years ago

Thank you both for checking! What a pity - but understandable: While I don't yet fully understand why the checking wouldn't be possible using the DNS challenge, I get the comment in the forum's post that the CA baseline requirements simply forbids it.