certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Skipping Validation

Open kadirgun opened this issue 2 years ago • 2 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Is there a validation skipping feature like in pebble to disable ACME challenges?

Why is this needed?

Challenges fail when using it for projects on the local machine. This requires extra DNS configurations.

kadirgun avatar Sep 14 '23 23:09 kadirgun

Hey @kadirgun,

We currently require always at least one ACME challenge to be solved, because otherwise any system could potentially obtain a certificate. I don't know about this specific feature in Pebble, but I do know that Pebble is intended to be used (solely) for testing purposes. step-ca is ran in various environments, including critical production environments, and for these the challenges are an essential security function.

I can see the utility of making challenge solving optional in certain environments, but IMO it shouldn't be the default and it shouldn't be implemented in a backwards incompatible way, which is what's implemented in https://github.com/smallstep/certificates/pull/1535.

We'll discuss this option in our upcoming open source triage.

hslatman avatar Sep 18 '23 20:09 hslatman

@hslatman Thank you for your reply.

An option that is disabled by default can be added to avoid backwards incompatibility.

Pebble does this with the PEBBLE_VA_ALWAYS_VALID (https://github.com/letsencrypt/pebble#skipping-validation) environment variable.

kadirgun avatar Sep 18 '23 20:09 kadirgun