small improvements, better order of sections

Author: mariuskimmina

20220403-ACME-TLS.md

@@ -53,6 +53,21 @@ Some parts here can already be automated easily, like Generating a private key a
 
 And all of these steps can be automated
 
+## How ACME works
+
+ACME is a client-server protocl where the Server side is implemented by a Certificate Authority (CA) such as [Let's Encrypt][lets-encrypt] the client side is implemented by a service that wants to obtain a valid certificate, such as CoreDNS in this case. The client has to prove ownership of a domain before the CA can give out a certificate, to achieve that, one of the following challenges has to be completed:
+
+### HTTP01 Challenge
+This requires port 80.
+
+CA gives the ACME client a token which puts a file on the server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. The file contains the token, plus a thumbprint of your account key. Once the client tells the CA that the file is ready, Let’s Encrypt tries retrieving it. If the validation checks get the right responses from the web server, the validation is considered successful and the certificate can be issued.
+
+To implement this in CoreDNS I propose that the underlying Caddy server could be used to serve the file at `/.well-known/acme-challenge/`. I am not familar enough with the codebase of CoreDNS to know how feasible it would be to do this from a plugin - see questions and discussions section.
+
+### DNS01 Challenge
+After the CA gives the ACME client a token, the client will then create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. The CA queries the DNS system for that record and the certificate can be issued if it matches.
+However, to do this automatically, the DNS provider needs to offer an API by which changes can be made to domain names. Wildcard certificates can be issued with this challenge.
+
 ## Deliverables
 * The existing TLS plugin will be extended to support the ACME protocol
 * It will be possible to setup CoreDNS with a verified certificate, signed by a CA such as Let's Encrypt, without manually generating and renewing it
@@ -91,20 +106,6 @@ To implement ACME there are a couple packages that we could use to help us such
 
 Deciding for one of these implementation, or potentially even creating a new one, is an outstanding task.
 
-### Challenges
-
-To prove ownership of a domain with ACME, one of the following challenges has to be completed
-
-### HTTP01 Challenge
-This requires port 80.
-
-CA gives the ACME client a token which puts a file on the server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. The file contains the token, plus a thumbprint of your account key. Once the client tells the CA that the file is ready, Let’s Encrypt tries retrieving it. If the validation checks get the right responses from the web server, the validation is considered successful and the certificate can be issued.
-
-To implement this in CoreDNS I propose that the underlying Caddy server could be used to serve the file at `/.well-known/acme-challenge/`. I am not familar enough with the codebase of CoreDNS to know how feasible it would be to do this from a plugin - see questions and discussions section.
-
-### DNS01 Challenge
-After the CA gives the ACME client a token, the client will then create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. The CA queries the DNS system for that record and the certificate can be issued if it matches.
-However, to do this automatically, the DNS provider needs to offer an API by which changes can be made to domain names. Wildcard certificates can be issued with this challenge.
 
 ## Storage
 
@@ -176,13 +177,13 @@ The worker caches the CERT RR (for X seconds) to reduce querying the master for
 
 
 **June 13 - September 19:**
-* Integrate ACME library (or own implementation if necessary) into TLS plugin
-* Implement Challenges
-* Develop Tests for ACME challenges
-* Start writing documentation
-* Start working on cluster implementation
-* Develop Tests for cluster implementation
-* Finish the documentation
+1. Integrate ACME library (or own implementation if necessary) into TLS plugin
+2. Implement Challenges
+3. Develop Tests for ACME challenges
+3. Start writing documentation
+4. Start working on cluster implementation
+5. Develop Tests for cluster implementation
+6. Finish the documentation
 
 I hope to be done by September 01 the latest and have until September 19 as a buffer.
 I will also be in contact with the mentors and hope to gather a lot of feedback along the way.
@@ -192,7 +193,6 @@ I will also be in contact with the mentors and hope to gather a lot of feedback
 * Keep Contributing to CoreDNS and possibly other CNCF projects 
 
 
-
 ## Questions and Discussion Topics
 
 1. Do coredns have a domain for testing and development? 
@@ -205,4 +205,7 @@ A lot of this proposal has been reused from a previous attempts [here](https://g
 
 1. [ACME RFC](https://tools.ietf.org/html/rfc8555)
 2. [DNS Challenge Types](https://letsencrypt.org/docs/challenge-types/)
-3. [Explanation of ACME Protocol](https://www.thesslstore.com/blog/acme-protocol-what-it-is-and-how-it-works/)
+3. [Explanation of ACME Protocol](https://www.thesslstore.com/blog/acme-protocol-what-it-is-and-how-it-works/)
+
+
+[lets-encrypt]: https://letsencrypt.org/