Custom File Challenge #117
-
|
Hello, We are trying to implement custom server using ACME2Certifier for a well known CA. In my case, CA expects file validation path to be on http://[domain.name]/.well-known/pki-validation/fileauth.txt - which is very much different format then ACME protocol : "/.well-known/acme-challenge/" . Can you tell me if this change needs to be done on new ca-handler OR I need to fix this from certbot pre/post authenticator script? Basically I want to know if there is a way to provide custom values for "authorizations" and "identifiers" as described in https://datatracker.ietf.org/doc/html/rfc8555#section-6.1 |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
Hi, Thats an interesting question. If the validation file must be located on the endpoint (as your fqdn points to it) I suggest implementing it via certbot hooks; otherwise, it can be done via the CA handler. The tricky question is how to pass the fileauth.txt from acme2certifier to client (I assume that at a certain point this gets provided by your CA via your handler). Have you ever thought about this? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for responding so quickly. I was thinking we can provide the values for the same from the ca_handler(figuring out if there's any specific parameter i can return), so that I can use that in certbot hooks - to create the file at that location ? Any other idea from your side, please share. |
Beta Was this translation helpful? Give feedback.
-
|
I think we could "misuse" the polling identifier to insert data from ca-handler into the database and provide this information once a client polls either certificate or order resource. Let me think about it and check the code... |
Beta Was this translation helpful? Give feedback.
-
|
I did some tests yesterday. During certificate issuance process the status of the order resource in a2c is pending and acme clients will poll the order resource in frequent intervals. That means we could submit data to the client by just updating the order resource accordingly. The problem rather is to make use of the data on client side. The hooks in When are you getting the fileauth.txt from your CA? Are you getting it upfront or rather after submitting the CSR? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for checking, contents of fileauth.txt can be determined upfront based on CSR, timestamp etc. |
Beta Was this translation helpful? Give feedback.
Thank you for responding so quickly. I was thinking we can provide the values for the same from the ca_handler(figuring out if there's any specific parameter i can return), so that I can use that in certbot hooks - to create the file at that location ? Any other idea from your side, please share.