How CDNs Generate Certificates
Fly is a content delivery network for Docker containers that uses Firecracker VMs and a global WireGuard mesh. To generate certificates, it utilizes LetsEncrypt's ACME protocol which involves domain-validated certificates based on proof of ownership. The ACME challenges include tls-http-01, tls-dns-01, and tls-sni-01, with the latter being deprecated due to security concerns related to subdomain takeover. Fly mitigates this issue by not reusing IP addresses for applications. The new ACME challenge is tls-alpn-01, which uses ALPN (Application Layer Protocol Negotiation) and is more explicit than the SNI challenge.
Company
Fly.io
Date published
June 25, 2020
Author(s)
Thomas Ptacek
Word count
2241
Language
English
Hacker News points
127