coolaj86
/
greenlock.js-ARCHIVED
3
3
Förgrening 0
Kod Ärenden 6 Pull-förfrågningar 1 Släpp Aktiviteter

Sticky: ACME v2 (now available) #5

Nytt Ärende
Stängd
opened 2018-03-14 09:25:51 +00:00 by Ghost · 4 kommentarer
Ghost kommenterad 2018-03-14 09:25:51 +00:00
Kopiera länk

Hello,

does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not.

Any Plans to support it?

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Greetings Nils

Hello, does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not. Any Plans to support it? https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 Greetings Nils
coolaj86 kommenterad 2018-03-15 02:56:12 +00:00
Ägare
Kopiera länk

Landed in v2.2.4

git clone https://git.coolaj86.com/coolaj86/greenlock.js.git

or

npm install greenlock@latest

Not yet. I'm looking into it and I would love help.

Landed in v2.2.4 ================ ```bash git clone https://git.coolaj86.com/coolaj86/greenlock.js.git ``` or ```bash npm install greenlock@latest ``` ~~Not yet. I'm looking into it and I would love help.~~
coolaj86 kommenterad 2018-03-15 03:28:57 +00:00
Ägare
Kopiera länk

According to that document this is the latest draft of the standard:

https://tools.ietf.org/html/draft-ietf-acme-acme-10

This is the new directory URL:

https://acme-staging-v02.api.letsencrypt.org/directory

I'm trying to understand what the technical differences are between the old implementation and the new.

I do know that only http and dns challenges will be supported at present.

Updated flow (in section 7.1):

                                  directory
                                      |
                                      +--> newNonce
                                      |
          +----------+----------+-----+-----+------------+
          |          |          |           |            |
          |          |          |           |            |
          V          V          V           V            V
     newAccount   newAuthz   newOrder   revokeCert   keyChange
          |          |          |
          |          |          |
          V          |          V
       account       |        order -----> finalize
                     |          |   -----> cert
                     |          |
                     |          V
                     +---> authorizations
                               | ^
                               | | "up"
                               V |
                             challenge

   +-----------------------+--------------------------+----------------+
   | Action                | Request                  | Response       |
   +-----------------------+--------------------------+----------------+
   | Get directory         | GET  directory           | 200            |
   |                       |                          |                |
   | Get nonce             | HEAD newNonce            | 200            |
   |                       |                          |                |
   | Create account        | POST newAccount          | 201 -> account |
   |                       |                          |                |
   | Submit order          | POST newOrder            | 201 -> order   |
   |                       |                          |                |
   | Fetch challenges      | GET  order               | 200            |
   |                       | authorizations           |                |
   |                       |                          |                |
   | Respond to challenges | POST challenge urls      | 200            |
   |                       |                          |                |
   | Finalize order        | POST order finalize      | 200            |
   |                       |                          |                |
   | Poll for status       | GET  order               | 200            |
   |                       |                          |                |
   | Download certificate  | GET  order cert          | 200            |
   +-----------------------+--------------------------+----------------+

The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js

I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js

Create Account

   POST /acme/new-account HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "jwk": {...},
       "nonce": "6S8IqOGY7eL2lsGoTZYifg",
       "url": "https://example.com/acme/new-account"
     }),
     "payload": base64url({
       "termsOfServiceAgreed": true,
       "contact": [
         "mailto:cert-admin@example.com",
         "mailto:admin@example.com"
       ]
     }),
     "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I"
   }

Create Authorization

   POST /acme/new-authz HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "uQpSjlRb4vQVCjVYAyyUWg",
       "url": "https://example.com/acme/new-authz"
     }),
     "payload": base64url({
       "identifier": {
         "type": "dns",
         "value": "example.net"
       }
     }),
     "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps"
   }

New Order 7.4. Applying for Certificate Issuance

   POST /acme/new-order HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "5XJ1L3lEkMG7tR6pA00clA",
       "url": "https://example.com/acme/new-order"
     }),
     "payload": base64url({
       "identifiers": [{"type:"dns","value":"example.com"}],
       "notBefore": "2016-01-01T00:00:00Z",
       "notAfter": "2016-01-08T00:00:00Z"
     }),
     "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g"
   }

Respond to Challenges 7.5.1. Responding to Challenges

   POST /acme/authz/1234/0 HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "Q_s3MWoqT05TrdkM2MTDcw",
       "url": "https://example.com/acme/authz/1234/0"
     }),
     "payload": base64url({}),
     "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
   }

HTTP-01 7.5.1. Responding to Challenges

//   keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
//   GET /.well-known/acme-challenge/:token

//   Must return {{ keyAuthorization }} as text

Key Authorization:

  keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
According to that document this is the latest draft of the standard: https://tools.ietf.org/html/draft-ietf-acme-acme-10 This is the new directory URL: https://acme-staging-v02.api.letsencrypt.org/directory I'm trying to understand what the technical differences are between the old implementation and the new. I do know that only http and dns challenges will be supported at present. Updated flow (in section 7.1): ``` directory | +--> newNonce | +----------+----------+-----+-----+------------+ | | | | | | | | | | V V V V V newAccount newAuthz newOrder revokeCert keyChange | | | | | | V | V account | order -----> finalize | | -----> cert | | | V +---> authorizations | ^ | | "up" V | challenge ``` ``` +-----------------------+--------------------------+----------------+ | Action | Request | Response | +-----------------------+--------------------------+----------------+ | Get directory | GET directory | 200 | | | | | | Get nonce | HEAD newNonce | 200 | | | | | | Create account | POST newAccount | 201 -> account | | | | | | Submit order | POST newOrder | 201 -> order | | | | | | Fetch challenges | GET order | 200 | | | authorizations | | | | | | | Respond to challenges | POST challenge urls | 200 | | | | | | Finalize order | POST order finalize | 200 | | | | | | Poll for status | GET order | 200 | | | | | | Download certificate | GET order cert | 200 | +-----------------------+--------------------------+----------------+ ``` The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js **Create Account** ``` POST /acme/new-account HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "jwk": {...}, "nonce": "6S8IqOGY7eL2lsGoTZYifg", "url": "https://example.com/acme/new-account" }), "payload": base64url({ "termsOfServiceAgreed": true, "contact": [ "mailto:cert-admin@example.com", "mailto:admin@example.com" ] }), "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I" } ``` **Create Authorization** ``` POST /acme/new-authz HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "uQpSjlRb4vQVCjVYAyyUWg", "url": "https://example.com/acme/new-authz" }), "payload": base64url({ "identifier": { "type": "dns", "value": "example.net" } }), "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" } ``` **New Order** 7.4. Applying for Certificate Issuance ``` POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [{"type:"dns","value":"example.com"}], "notBefore": "2016-01-01T00:00:00Z", "notAfter": "2016-01-08T00:00:00Z" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" } ``` **Respond to Challenges** 7.5.1. Responding to Challenges ``` POST /acme/authz/1234/0 HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/1234/0" }), "payload": base64url({}), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } ``` **HTTP-01** 7.5.1. Responding to Challenges ``` // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) // GET /.well-known/acme-challenge/:token // Must return {{ keyAuthorization }} as text ``` **Key Authorization**: ``` keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) ```
coolaj86 kommenterad 2018-03-20 07:26:36 +00:00
Ägare
Kopiera länk

Good news, I've got a very simple hard-coded test working with the v2 API.

:)

The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible.

https://git.coolaj86.com/coolaj86/acme-v2.js

Good news, I've got a very simple hard-coded test working with the v2 API. :) The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible. https://git.coolaj86.com/coolaj86/acme-v2.js
coolaj86 kommenterad 2018-04-16 01:30:40 +00:00
Ägare
Kopiera länk

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm!

v2.2.0

It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm! v2.2.0 It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.
coolaj86 ändrade titeln från ACME v2 till Sticky: ACME v2 (now available) 2018-04-16 20:31:57 +00:00
Logga in för att delta i denna konversation.
Ingen Branch/Tag specificerad
Grenar Taggar
master
github
next
v4
npm
v3
wip
dns-challenge-regression-fix
v2.4
v2.5
v2.3
v2
v2.2
acmev2
v2.1
greenlock
v1
node-letsencrypt-python
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.5
v3.1.4
v3.1.3
v3.0.25
v3.0.24
v3.0.23
v3.0.21
v3.0.20
v3.0.19
v3.0.18
v3.0.17
v3.0.16
v3.0.15
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.23
v2.7.22
v2.7.21
v2.7.20
v2.7.19
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.14
v2.7.13
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.10
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.2
v2.4.1
v2.4.0
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.0
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v1.5.8
v2.0.5
v2.0.4
v1.5.7
v1.5.6
v1.5.5
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.2
v1.0.0
v1.0.1
Etiketter
Rensa etiketter
Inga objekt
Ingen Etikett
Milsten
Rensa milstenar
Inga objekt
Ingen Milsten
Tilldelade
Rensa tilldelade
Ingen tilldelad
2 Deltagare
Notiser
Förfallodatum
Förfallodatumet är ogiltigt eller utanför gränserna. Använd formatet 'åååå-mm-dd'.

Inget förfallodatum satt.

Beroenden

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#5
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?