Skip to content

[Feature] Let's Encrypt account URI #644

Description

@akostadinov

Hello.

RPXY supports automatically obtaining certificates from Let's Encrypt by automatically creating a client and then requesting the certificates using the TLS-ALPN-01 protocol.

This protocols allows a malicious ISP or a MITM actor obtain a certificate for domains served through them. But on e can use the CAA DNS record type to limit the ability to generate certificates to Let's Encrypt and their specific account URI, i.e.

example.com.  CAA  0  issue  "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"
example.com.  CAA  0  issuewild  "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"

The problem is that I see no way presently to extract this account URI from RPXY. I see it neither recorded in logs nor anywhere in a human readable file inside the acme_registry directory.

Would be really nice to have this somehow logged or easily accessible. Even RPXY may show a log line with the exact CAA record one has to set, perhaps if RPXY detects such record missing or in case the issuing fails due to a CAA record mismatch... hope not asking for too much!

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions