-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate to conn.internet.nl #324
Comments
See also #355 |
For Sectigo certs for IP addresses see: https://sectigostore.com/page/ssl-certificate-for-ip-address/ |
Note that CSP currently does not allow IP addresses. See: https://www.w3.org/TR/CSP3/#match-hosts |
To make the whole connection test run via HTTPS, we probably also need (wildcard) certs for:
Note that ACME seems to require a DNS challenge for wildcard certs. |
@gthess: question: could you explain a bit on why we need unique ID's in the labels for the connection test? Thanks! |
Because the client information is encoded in the unique ID of the qname. Then the data from DNS can be correlated with the ongoing test. |
Since BTW looking into this, we could also handle ACME on the main domain this way (but we don't need/want wildcard certificates on the apex domain):
|
Just spoke with @bwbroersma about this: CNAME might also be a solution to automate the renewal of DANE records. However, note that the availability of the delegated nameserver is probably not as good as that of our main nameservers. |
This certificate (for IP address) also seems necessary for people using a browser in HTTPS only mode. |
FWIW: We tried to get a certificate for IP addresses from Sectigo a while back for our DoH service (DNS4ALL.eu) but ultimately gave up, because they weren't able to verify IPv6 addresses. |
Thanks for sharing your experience, @mdavids!
|
To be discussed in stuurgroep |
Stuurgroep discussion:
|
To document an idea I shared with the
|
We connect directly to an IP address over HTTP to test IPv6 connectivity. Because of possible 'mixed content' warnings conn.internet.nl does not do HTTPS. However, it seems possible to have a valid CA certificate for IP addresses. For example check https://1.1.1.1
The text was updated successfully, but these errors were encountered: