Hello.
RPXY supports automatically obtaining certificates from Let's Encrypt by automatically creating a client and then requesting the certificates using the TLS-ALPN-01 protocol.
This protocols allows a malicious ISP or a MITM actor obtain a certificate for domains served through them. But on e can use the CAA DNS record type to limit the ability to generate certificates to Let's Encrypt and their specific account URI, i.e.
example.com. CAA 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"
example.com. CAA 0 issuewild "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"
The problem is that I see no way presently to extract this account URI from RPXY. I see it neither recorded in logs nor anywhere in a human readable file inside the acme_registry directory.
Would be really nice to have this somehow logged or easily accessible. Even RPXY may show a log line with the exact CAA record one has to set, perhaps if RPXY detects such record missing or in case the issuing fails due to a CAA record mismatch... hope not asking for too much!
Hello.
RPXY supports automatically obtaining certificates from Let's Encrypt by automatically creating a client and then requesting the certificates using the TLS-ALPN-01 protocol.
This protocols allows a malicious ISP or a MITM actor obtain a certificate for domains served through them. But on e can use the
CAADNS record type to limit the ability to generate certificates to Let's Encrypt and their specific account URI, i.e.The problem is that I see no way presently to extract this account URI from RPXY. I see it neither recorded in logs nor anywhere in a human readable file inside the
acme_registrydirectory.Would be really nice to have this somehow logged or easily accessible. Even RPXY may show a log line with the exact CAA record one has to set, perhaps if RPXY detects such record missing or in case the issuing fails due to a CAA record mismatch... hope not asking for too much!