search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.74k stars 440 forks source link

Skipping Validation #1534

Open kadirgun opened 1 year ago

kadirgun commented 1 year ago

Hello!

Issue details

Is there a validation skipping feature like in pebble to disable ACME challenges?

Why is this needed?

Challenges fail when using it for projects on the local machine. This requires extra DNS configurations.

hslatman commented 1 year ago

Hey @kadirgun,

We currently require always at least one ACME challenge to be solved, because otherwise any system could potentially obtain a certificate. I don't know about this specific feature in Pebble, but I do know that Pebble is intended to be used (solely) for testing purposes. step-ca is ran in various environments, including critical production environments, and for these the challenges are an essential security function.

I can see the utility of making challenge solving optional in certain environments, but IMO it shouldn't be the default and it shouldn't be implemented in a backwards incompatible way, which is what's implemented in https://github.com/smallstep/certificates/pull/1535.

We'll discuss this option in our upcoming open source triage.

kadirgun commented 1 year ago

@hslatman Thank you for your reply.

An option that is disabled by default can be added to avoid backwards incompatibility.

Pebble does this with the PEBBLE_VA_ALWAYS_VALID (https://github.com/letsencrypt/pebble#skipping-validation) environment variable.