undefined | Better HN

0 pointslifthrasiir10y ago0 comments

If there are hundreds of thousands of these certificates, you will need a custom ACME client anyway. It is not trivial even with a presence of SNI.

0 comments

diafygi10y ago

Eh, ACME isn't that complex. I wrote a fully automated client in less than 200 lines of python.

https://github.com/diafygi/acme-tiny

lifthrasiirOP10y ago

An HTTP client that gives a simple automated response is easy to write. An HTTP client that gives simple automated responses to 10,000 connections every second is not easy to write.

(Disclaimer: That said, I haven't seriously assessed the scalability of typical ACME clients. I would appreciate any hard number for them.)

michaelt10y ago

The ACME client only has to run once every 90 days, to validate domain ownership and retrieve an updated certificate. After that, the certificate can be stored on and loaded from disk - the same way most of the files being served are probably stored.

It's true there might be some added complexity, as the private keys will need to be stored securely. And session resumption data, if you need to support that. Doesn't seem like an insurmountable problem, though.

j / k navigate · click thread line to collapse