zlacker

[return to "So this guy is now S3. All of S3"]
1. paxys+x4[view] [source] 2023-05-04 19:13:35
>>aendru+(OP)
This is a terrible implementation of domain verification. dns-01 and http-01 are more or less standardized at this point. Use them, and don't roll your own. Reference: https://letsencrypt.org/docs/challenge-types/.
◧◩
2. bob102+S9[view] [source] 2023-05-04 19:37:46
>>paxys+x4
I don't get http-based verification in general. If you want to really prove someone owns a domain, make them change an authoritative DNS record. Everything else feels like it is begging for edge cases to crop up. Why should my social media or SSL certificate vendor care about my web servers?
◧◩◪
3. chrism+Fa[view] [source] 2023-05-04 19:40:26
>>bob102+S9
Convenience. DNS is routinely not automatable by API, or inconvenient to automate. HTTP, however, is normally easy to work with.
◧◩◪◨
4. AdamJa+oe[view] [source] 2023-05-04 19:59:33
>>chrism+Fa
It's not even that it's not automatable, it's just that it follows a completely different control scheme and path than DNS.

for 99.99% of cases when a domain is pointed at me and I want to serve an SSL certificate for it, I can answer an HTTP-01 challenge. Needing to orchestrate a DNS challenge will always be a more complicated external thing.

HTTP challenge (and TLS-ALPN) are in-band, DNS is out-of-band.

[go to top]