Sticky: ACME v2 (now available) #5

New Issue

Closed

opened 2018-03-14 09:25:51 +00:00 by Ghost · 4 comments

Ghost commented 2018-03-14 09:25:51 +00:00

Copy Link

Hello,

does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not.

Any Plans to support it?

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Greetings Nils

Hello, does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not. Any Plans to support it? https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 Greetings Nils

coolaj86 commented 2018-03-15 02:56:12 +00:00

Owner

Copy Link

Landed in v2.2.4

git clone https://git.coolaj86.com/coolaj86/greenlock.js.git

or

npm install greenlock@latest

Not yet. I'm looking into it and I would love help.

Landed in v2.2.4 ================ ```bash git clone https://git.coolaj86.com/coolaj86/greenlock.js.git ``` or ```bash npm install greenlock@latest ``` ~~Not yet. I'm looking into it and I would love help.~~

coolaj86 commented 2018-03-15 03:28:57 +00:00

Owner

Copy Link

According to that document this is the latest draft of the standard:

https://tools.ietf.org/html/draft-ietf-acme-acme-10

This is the new directory URL:

https://acme-staging-v02.api.letsencrypt.org/directory

I'm trying to understand what the technical differences are between the old implementation and the new.

I do know that only http and dns challenges will be supported at present.

Updated flow (in section 7.1):

                                  directory
                                      |
                                      +--> newNonce
                                      |
          +----------+----------+-----+-----+------------+
          |          |          |           |            |
          |          |          |           |            |
          V          V          V           V            V
     newAccount   newAuthz   newOrder   revokeCert   keyChange
          |          |          |
          |          |          |
          V          |          V
       account       |        order -----> finalize
                     |          |   -----> cert
                     |          |
                     |          V
                     +---> authorizations
                               | ^
                               | | "up"
                               V |
                             challenge

   +-----------------------+--------------------------+----------------+
   | Action                | Request                  | Response       |
   +-----------------------+--------------------------+----------------+
   | Get directory         | GET  directory           | 200            |
   |                       |                          |                |
   | Get nonce             | HEAD newNonce            | 200            |
   |                       |                          |                |
   | Create account        | POST newAccount          | 201 -> account |
   |                       |                          |                |
   | Submit order          | POST newOrder            | 201 -> order   |
   |                       |                          |                |
   | Fetch challenges      | GET  order               | 200            |
   |                       | authorizations           |                |
   |                       |                          |                |
   | Respond to challenges | POST challenge urls      | 200            |
   |                       |                          |                |
   | Finalize order        | POST order finalize      | 200            |
   |                       |                          |                |
   | Poll for status       | GET  order               | 200            |
   |                       |                          |                |
   | Download certificate  | GET  order cert          | 200            |
   +-----------------------+--------------------------+----------------+

The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js

I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js

Create Account

   POST /acme/new-account HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "jwk": {...},
       "nonce": "6S8IqOGY7eL2lsGoTZYifg",
       "url": "https://example.com/acme/new-account"
     }),
     "payload": base64url({
       "termsOfServiceAgreed": true,
       "contact": [
         "mailto:cert-admin@example.com",
         "mailto:admin@example.com"
       ]
     }),
     "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I"
   }

Create Authorization

   POST /acme/new-authz HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "uQpSjlRb4vQVCjVYAyyUWg",
       "url": "https://example.com/acme/new-authz"
     }),
     "payload": base64url({
       "identifier": {
         "type": "dns",
         "value": "example.net"
       }
     }),
     "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps"
   }

New Order 7.4. Applying for Certificate Issuance

   POST /acme/new-order HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "5XJ1L3lEkMG7tR6pA00clA",
       "url": "https://example.com/acme/new-order"
     }),
     "payload": base64url({
       "identifiers": [{"type:"dns","value":"example.com"}],
       "notBefore": "2016-01-01T00:00:00Z",
       "notAfter": "2016-01-08T00:00:00Z"
     }),
     "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g"
   }

Respond to Challenges 7.5.1. Responding to Challenges

   POST /acme/authz/1234/0 HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "Q_s3MWoqT05TrdkM2MTDcw",
       "url": "https://example.com/acme/authz/1234/0"
     }),
     "payload": base64url({}),
     "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
   }

HTTP-01 7.5.1. Responding to Challenges

//   keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
//   GET /.well-known/acme-challenge/:token

//   Must return {{ keyAuthorization }} as text

Key Authorization:

  keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))

According to that document this is the latest draft of the standard: https://tools.ietf.org/html/draft-ietf-acme-acme-10 This is the new directory URL: https://acme-staging-v02.api.letsencrypt.org/directory I'm trying to understand what the technical differences are between the old implementation and the new. I do know that only http and dns challenges will be supported at present. Updated flow (in section 7.1): ``` directory | +--> newNonce | +----------+----------+-----+-----+------------+ | | | | | | | | | | V V V V V newAccount newAuthz newOrder revokeCert keyChange | | | | | | V | V account | order -----> finalize | | -----> cert | | | V +---> authorizations | ^ | | "up" V | challenge ``` ``` +-----------------------+--------------------------+----------------+ | Action | Request | Response | +-----------------------+--------------------------+----------------+ | Get directory | GET directory | 200 | | | | | | Get nonce | HEAD newNonce | 200 | | | | | | Create account | POST newAccount | 201 -> account | | | | | | Submit order | POST newOrder | 201 -> order | | | | | | Fetch challenges | GET order | 200 | | | authorizations | | | | | | | Respond to challenges | POST challenge urls | 200 | | | | | | Finalize order | POST order finalize | 200 | | | | | | Poll for status | GET order | 200 | | | | | | Download certificate | GET order cert | 200 | +-----------------------+--------------------------+----------------+ ``` The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js **Create Account** ``` POST /acme/new-account HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "jwk": {...}, "nonce": "6S8IqOGY7eL2lsGoTZYifg", "url": "https://example.com/acme/new-account" }), "payload": base64url({ "termsOfServiceAgreed": true, "contact": [ "mailto:cert-admin@example.com", "mailto:admin@example.com" ] }), "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I" } ``` **Create Authorization** ``` POST /acme/new-authz HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "uQpSjlRb4vQVCjVYAyyUWg", "url": "https://example.com/acme/new-authz" }), "payload": base64url({ "identifier": { "type": "dns", "value": "example.net" } }), "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" } ``` **New Order** 7.4. Applying for Certificate Issuance ``` POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [{"type:"dns","value":"example.com"}], "notBefore": "2016-01-01T00:00:00Z", "notAfter": "2016-01-08T00:00:00Z" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" } ``` **Respond to Challenges** 7.5.1. Responding to Challenges ``` POST /acme/authz/1234/0 HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/1234/0" }), "payload": base64url({}), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } ``` **HTTP-01** 7.5.1. Responding to Challenges ``` // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) // GET /.well-known/acme-challenge/:token // Must return {{ keyAuthorization }} as text ``` **Key Authorization**: ``` keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) ```

coolaj86 commented 2018-03-20 07:26:36 +00:00

Owner

Copy Link

Good news, I've got a very simple hard-coded test working with the v2 API.

:)

The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible.

https://git.coolaj86.com/coolaj86/acme-v2.js

Good news, I've got a very simple hard-coded test working with the v2 API. :) The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible. https://git.coolaj86.com/coolaj86/acme-v2.js

coolaj86 commented 2018-04-16 01:30:40 +00:00

Owner

Copy Link

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm!

v2.2.0

It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm! v2.2.0 It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

coolaj86 changed title from ACME v2 to Sticky: ACME v2 (now available) 2018-04-16 20:31:57 +00:00

coolaj86 closed this issue 2018-05-18 08:18:07 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#5

No description provided.