Sticky: ACME v2 (now available) #5

Новая задача

Закрыто

открыт 2018-03-14 09:25:51 +00:00 пользователем Ghost · комментариев: 4

Ghost прокомментировал(а) 2018-03-14 09:25:51 +00:00

Копировать ссылку

Hello,

does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not.

Any Plans to support it?

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Greetings Nils

Hello, does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not. Any Plans to support it? https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 Greetings Nils

coolaj86 прокомментировал(а) 2018-03-15 02:56:12 +00:00

Владелец

Копировать ссылку

Landed in v2.2.4

git clone https://git.coolaj86.com/coolaj86/greenlock.js.git

or

npm install greenlock@latest

Not yet. I'm looking into it and I would love help.

Landed in v2.2.4 ================ ```bash git clone https://git.coolaj86.com/coolaj86/greenlock.js.git ``` or ```bash npm install greenlock@latest ``` ~~Not yet. I'm looking into it and I would love help.~~

coolaj86 прокомментировал(а) 2018-03-15 03:28:57 +00:00

Владелец

Копировать ссылку

According to that document this is the latest draft of the standard:

https://tools.ietf.org/html/draft-ietf-acme-acme-10

This is the new directory URL:

https://acme-staging-v02.api.letsencrypt.org/directory

I'm trying to understand what the technical differences are between the old implementation and the new.

I do know that only http and dns challenges will be supported at present.

Updated flow (in section 7.1):

                                  directory
                                      |
                                      +--> newNonce
                                      |
          +----------+----------+-----+-----+------------+
          |          |          |           |            |
          |          |          |           |            |
          V          V          V           V            V
     newAccount   newAuthz   newOrder   revokeCert   keyChange
          |          |          |
          |          |          |
          V          |          V
       account       |        order -----> finalize
                     |          |   -----> cert
                     |          |
                     |          V
                     +---> authorizations
                               | ^
                               | | "up"
                               V |
                             challenge

   +-----------------------+--------------------------+----------------+
   | Action                | Request                  | Response       |
   +-----------------------+--------------------------+----------------+
   | Get directory         | GET  directory           | 200            |
   |                       |                          |                |
   | Get nonce             | HEAD newNonce            | 200            |
   |                       |                          |                |
   | Create account        | POST newAccount          | 201 -> account |
   |                       |                          |                |
   | Submit order          | POST newOrder            | 201 -> order   |
   |                       |                          |                |
   | Fetch challenges      | GET  order               | 200            |
   |                       | authorizations           |                |
   |                       |                          |                |
   | Respond to challenges | POST challenge urls      | 200            |
   |                       |                          |                |
   | Finalize order        | POST order finalize      | 200            |
   |                       |                          |                |
   | Poll for status       | GET  order               | 200            |
   |                       |                          |                |
   | Download certificate  | GET  order cert          | 200            |
   +-----------------------+--------------------------+----------------+

The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js

I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js

Create Account

   POST /acme/new-account HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "jwk": {...},
       "nonce": "6S8IqOGY7eL2lsGoTZYifg",
       "url": "https://example.com/acme/new-account"
     }),
     "payload": base64url({
       "termsOfServiceAgreed": true,
       "contact": [
         "mailto:cert-admin@example.com",
         "mailto:admin@example.com"
       ]
     }),
     "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I"
   }

Create Authorization

   POST /acme/new-authz HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "uQpSjlRb4vQVCjVYAyyUWg",
       "url": "https://example.com/acme/new-authz"
     }),
     "payload": base64url({
       "identifier": {
         "type": "dns",
         "value": "example.net"
       }
     }),
     "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps"
   }

New Order 7.4. Applying for Certificate Issuance

   POST /acme/new-order HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "5XJ1L3lEkMG7tR6pA00clA",
       "url": "https://example.com/acme/new-order"
     }),
     "payload": base64url({
       "identifiers": [{"type:"dns","value":"example.com"}],
       "notBefore": "2016-01-01T00:00:00Z",
       "notAfter": "2016-01-08T00:00:00Z"
     }),
     "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g"
   }

Respond to Challenges 7.5.1. Responding to Challenges

   POST /acme/authz/1234/0 HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "Q_s3MWoqT05TrdkM2MTDcw",
       "url": "https://example.com/acme/authz/1234/0"
     }),
     "payload": base64url({}),
     "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
   }

HTTP-01 7.5.1. Responding to Challenges

//   keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
//   GET /.well-known/acme-challenge/:token

//   Must return {{ keyAuthorization }} as text

Key Authorization:

  keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))

According to that document this is the latest draft of the standard: https://tools.ietf.org/html/draft-ietf-acme-acme-10 This is the new directory URL: https://acme-staging-v02.api.letsencrypt.org/directory I'm trying to understand what the technical differences are between the old implementation and the new. I do know that only http and dns challenges will be supported at present. Updated flow (in section 7.1): ``` directory | +--> newNonce | +----------+----------+-----+-----+------------+ | | | | | | | | | | V V V V V newAccount newAuthz newOrder revokeCert keyChange | | | | | | V | V account | order -----> finalize | | -----> cert | | | V +---> authorizations | ^ | | "up" V | challenge ``` ``` +-----------------------+--------------------------+----------------+ | Action | Request | Response | +-----------------------+--------------------------+----------------+ | Get directory | GET directory | 200 | | | | | | Get nonce | HEAD newNonce | 200 | | | | | | Create account | POST newAccount | 201 -> account | | | | | | Submit order | POST newOrder | 201 -> order | | | | | | Fetch challenges | GET order | 200 | | | authorizations | | | | | | | Respond to challenges | POST challenge urls | 200 | | | | | | Finalize order | POST order finalize | 200 | | | | | | Poll for status | GET order | 200 | | | | | | Download certificate | GET order cert | 200 | +-----------------------+--------------------------+----------------+ ``` The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js **Create Account** ``` POST /acme/new-account HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "jwk": {...}, "nonce": "6S8IqOGY7eL2lsGoTZYifg", "url": "https://example.com/acme/new-account" }), "payload": base64url({ "termsOfServiceAgreed": true, "contact": [ "mailto:cert-admin@example.com", "mailto:admin@example.com" ] }), "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I" } ``` **Create Authorization** ``` POST /acme/new-authz HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "uQpSjlRb4vQVCjVYAyyUWg", "url": "https://example.com/acme/new-authz" }), "payload": base64url({ "identifier": { "type": "dns", "value": "example.net" } }), "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" } ``` **New Order** 7.4. Applying for Certificate Issuance ``` POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [{"type:"dns","value":"example.com"}], "notBefore": "2016-01-01T00:00:00Z", "notAfter": "2016-01-08T00:00:00Z" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" } ``` **Respond to Challenges** 7.5.1. Responding to Challenges ``` POST /acme/authz/1234/0 HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/1234/0" }), "payload": base64url({}), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } ``` **HTTP-01** 7.5.1. Responding to Challenges ``` // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) // GET /.well-known/acme-challenge/:token // Must return {{ keyAuthorization }} as text ``` **Key Authorization**: ``` keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) ```

coolaj86 прокомментировал(а) 2018-03-20 07:26:36 +00:00

Владелец

Копировать ссылку

Good news, I've got a very simple hard-coded test working with the v2 API.

:)

The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible.

https://git.coolaj86.com/coolaj86/acme-v2.js

Good news, I've got a very simple hard-coded test working with the v2 API. :) The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible. https://git.coolaj86.com/coolaj86/acme-v2.js

coolaj86 прокомментировал(а) 2018-04-16 01:30:40 +00:00

Владелец

Копировать ссылку

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm!

v2.2.0

It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm! v2.2.0 It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

coolaj86 изменил(а) заголовок с ACME v2 на Sticky: ACME v2 (now available) 2018-04-16 20:31:57 +00:00

coolaj86 закрыл(а) эту задачу 2018-05-18 08:18:07 +00:00

Войдите, чтобы присоединиться к обсуждению.

Не указана ветка или тэг

Ветки Теги

master

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Метки

Нет элементов

Нет меток

Этап

Нет элементов

Нет этапа

Назначенные

Убрать ответственных

jshaver coolaj86

Нет назначенных лиц

2 участников

Уведомления

Подписаться

Срок выполнения

Срок выполнения не установлен.

Зависимости

Зависимостей нет.

Ссылка: coolaj86/greenlock.js-ARCHIVED#5

Описание отсутствует.