On Mon, Jan 25, 2016 at 11:24 AM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: >> The special SNI value and the special cert are dynamically generated >> during the ACME exchange. If you wanted to build support into >> ocserv, >> you could accept the Z value through dbus and autogenerate the cert + >> SNI name. Not sure how "invasive" all of this is, though. > > I would not like to introduce a dbus dependency just for that. occtl > could be used to provide that input, but still the webroot that you > mention below is far much simpler. Err, right, for some reason I thought occtl was using dbus. Oops. >> One downside is that many ACME clients only support webroot. So I >> guess this would probably be implemented as a plugin for the >> reference client. > > Well the webroot thing can be combined easily with ocserv as it only > requires the HTTP port. Isn't running a temporary HTTP server in > parallel with ocserv a simpler solution? Yes, I'm using the standalone plugin to do that now. Fortunately, there is nothing else running on port 80 on this IP, so it's not a major problem. I really hope they reconsider their decision to drop TLS webroot support - it's even in the spec. If that happens I'll send my ocserv ACME webroot patch.
