top | item 47070594

(no title)

jmholla | 12 days ago

> Why? ACME accounts have credentials so that the ACME client can authenticate against the certificate issuer, and ACME providers require the placement of a DNS record or a .well-known HTTP endpoint to verify that the account is authorized to act upon the demands of whoever owns the domain.

This is the previous models. In this case, DNS-Persist-01, the record is permanent and never changes. So to prove that your request is valid, they need to authenticate in some other manner. Otherwise, once you create that persistent record, anybody could request a cert for your domain.

Edit: Spivak explains the flow differences better in their comment: https://news.ycombinator.com/item?id=47065821

discuss

No comments yet.