-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make InsecureSkipVerify: true
configurable
#5
Comments
👋 Hi @lenovouser, I'm sorry you found yourself in a situation where you couldn't renew the ACME DNS certificate. I don't think that making TLS certificate validation configurable is the right solution. I'm hesitant to add a lever that will be a security downgrade 99.99% of times and a useful feature the remaining 0.01%. It looks like the first-party Python ACME DNS library by @joohoi doesn't expose a way to do this either. Beyond encouraging adding monitoring of your ACME DNS HTTPS certificate expiry I think the best path forward would be to amend the upstream ACME DNS project README to call out this specific danger. The safest way to avoid this situation is to recommend that users that want to use ACME DNS with an HTTPS API should let ACME DNS get its own certificate using its built-in autossl (e.g. using I'm going to close this issue since I don't think it is fit for implementation. Thanks! |
Here's a acme-dns README update that I think helps address this situation: joohoi/acme-dns#169 |
The ACME-DNS README now has a warning about this case: https://github.com/joohoi/acme-dns#https-api |
go-acme/lego#900
The text was updated successfully, but these errors were encountered: