Automated Certificate Management Environment                 J. Crawford
Internet-Draft                                                   A. Chen
Intended status: Informational                                H. Shafagh
Expires: 20 July 2025                                            Netflix
                                                         16 January 2025


             Delegated http-01 Validation in ACME Protocol
               draft-crawford-acme-delegated-http-latest

Abstract

   This document proposes an extension to the Automated Certificate
   Management Environment (ACME) !RFC8555 protocol to enhance the
   http-01 challenge type (see Section 8.3 of [RFC8555]) by allowing for
   delegation, enabling validation requests to be directed to a
   designated server.  This approach mirrors the functionality available
   with dns-01 (see Section 8.4 of [RFC8555]) challenges via DNS CNAME
   records, aiming to improve the flexibility and scalability of the
   http-01 validation method.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://jmcrawford45.github.io/draft-crawford-acme-delegated-http/
   draft-crawford-acme-delegated-http.html.  Status information for this
   document may be found at https://datatracker.ietf.org/doc/draft-
   crawford-acme-delegated-http/.

   Discussion of this document takes place on the Automated Certificate
   Management Environment mailing list (mailto:acme@ietf.org), which is
   archived at https://mailarchive.ietf.org/arch/browse/acme/.
   Subscribe at https://www.ietf.org/mailman/listinfo/acme/.

   Source for this draft and an issue tracker can be found at
   https://github.com/jmcrawford45/draft-crawford-acme-delegated-http.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 20 July 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction
   2.  Conventions and Definitions
   3.  Delegated HTTP Validation
   4.  Security Considerations
   5.  IANA Considerations
   6.  Normative References
   Acknowledgments
   Authors' Addresses

1.  Introduction

   The ACME protocol provides mechanisms for validating domain control
   using several challenge types, including http-01 and dns-01.  While
   dns-01 challenges allow for delegation using DNS CNAME records,
   http-01 challenges require direct hosting of challenge responses on
   the domain being validated.  This document introduces a mechanism to
   delegate http-01 validation requests to a designated server.  By
   leveraging DNS records to redirect HTTP validation, this proposal
   enables http-01 validation while addressing challenges associated
   with validating domains hosted on corporate networks, on load
   balancers, or behind firewalls.  Delegated HTTP validation combines
   the following benefits from the existing dns-01 and http-01
   validation methods.

   *  *Centralized Management*: Enables centralized management of
      challenge responses, reducing the complexity of managing multiple
      domains.

   *  *Reduced Exposure*: Eliminates the need for direct access to the
      primary web server for validation.

   *  *Performance*: Reduces latency compared to dns-01 challenges by
      allowing synchronous validation.

   *  *Security*: Avoids risks associated with exposing DNS API
      credentials.

   *  *Scalability*: Enables parallelized validation of domains on
      distributed load balancers.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Delegated HTTP Validation

   This proposal extends the http-01 challenge type to support
   delegation using a DNS record, similar to the approach used for
   dns-01 challenges.  The process for validating example.com is as
   follows:

   1.  *DNS Configuration*: The domain owner creates a DNS record for
       _acme-challenge.example.com pointing to a server capable of
       serving HTTP validation requests.  For example:

       _acme-challenge.example.com.  CNAME validation-server-
       example.net.

   2.  *Challenge File Provisioning*: The designated server hosts the
       challenge file at the path /.well-known/acme-challenge/{token},
       containing the domain authorization string.

   3.  *Validation Request*: The ACME server attempts validation in the
       following order:

       *  http://_acme-challenge.example.com/.well-known/acme-
          challenge/{token}

       *  http://example.com/.well-known/acme-challenge/{token}

       An ACME server MUST try the undelegated URL if the delegated URL
       fails.

   4.  *Validation Response*: The designated server responds with the
       authorization string, which the ACME server verifies against the
       expected value.

   5.  *Challenge Completion*: If the validation succeeds, the challenge
       status is updated to “valid.” If it fails, the status is updated
       to “invalid,” with diagnostic information provided.

4.  Security Considerations

   *  Relies on the security of both DNS and the delegated server.

5.  IANA Considerations

   TODO: https://github.com/jmcrawford45/draft-crawford-acme-delegated-
   http/issues/1

6.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8555]  Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
              Kasten, "Automatic Certificate Management Environment
              (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
              <https://www.rfc-editor.org/rfc/rfc8555>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Jared Crawford
   Netflix
   Email: jmcrawford45@gmail.com


   Andrew Chen
   Netflix
   Email: achen.code@gmail.com


   Hoss Shafagh
   Netflix
   Email: hoss.sha@gmail.com