/plushcap/analysis/fly-io/how-cdns-generate-certificates

How CDNs Generate Certificates

What's this blog post about?

Fly is a content delivery network for Docker containers that uses Firecracker VMs and a global WireGuard mesh. To generate certificates, it utilizes LetsEncrypt's ACME protocol which involves domain-validated certificates based on proof of ownership. The ACME challenges include tls-http-01, tls-dns-01, and tls-sni-01, with the latter being deprecated due to security concerns related to subdomain takeover. Fly mitigates this issue by not reusing IP addresses for applications. The new ACME challenge is tls-alpn-01, which uses ALPN (Application Layer Protocol Negotiation) and is more explicit than the SNI challenge.

Company
Fly.io

Date published
June 25, 2020

Author(s)
Thomas Ptacek

Word count
2241

Hacker News points
127

Language
English


By Matt Makai. 2021-2024.