[AC-Admins] irc.anthrochat.net
Simba
simba at anthrochat.net
Wed Oct 19 17:56:17 EDT 2016
On 10/19/2016 10:44 AM, Pippin Bear wrote:
> Ah yes, true, a single cert listing every server and rotary would
> let you also do things like pointing DNS for one server to another
> one if it failed, and would be needed for the rotaries anyway. I
> hadn't considered that.
Exactly. It has the drawback of having the same private key on
every server, but I'm not super concerned about that.
> One way might be to run a copy of BIND on the machine doing the
> certificates, with an out-of-the-way domain delegated to it, and
> CNAME the appropriate records into that domain.
I can just use an anthrochat.net subdomain for that; like
le.anthrochat.net or acme.anthrochat.net or something.
> That way you don't need the LE client to be able to manipulate the
> main anthrochat.net zone directly.
Does the LE client have the ability to manipulate bind zone files
and issue a reload directly? I was having trouble finding anything
concrete on that.
It would be so much nicer if ACME / LE supported SRV records for
this process. It could then look up the http server that will do the
http-01 challenge, for each host, by way of an SRV record, then connect
to that http server for the verification. Something like:
_acme-http-01-challenge._tcp.bear.anthrochat.net. 7200 IN SRV 0 5 80
le.anthrochat.net.
(for each of the server names)
One can dream. :)
--
Simba
More information about the Admins
mailing list