coolaj86
/
greenlock.js-ARCHIVED
3
3
Fork 0
Code Issues 6 Pull Requests 1 Releases Activity

Sticky: ACME v2 (now available) #5

New Issue
Closed
opened 2018-03-14 09:25:51 +00:00 by Ghost · 4 comments
Ghost commented 2018-03-14 09:25:51 +00:00
Copy Link

Hello,

does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not.

Any Plans to support it?

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Greetings Nils

Hello, does greenlock support ACME v2. The last update is already a few month ago, so I assume it does not. Any Plans to support it? https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 Greetings Nils
coolaj86 commented 2018-03-15 02:56:12 +00:00
Owner
Copy Link

Landed in v2.2.4

git clone https://git.coolaj86.com/coolaj86/greenlock.js.git

or

npm install greenlock@latest

Not yet. I'm looking into it and I would love help.

Landed in v2.2.4 ================ ```bash git clone https://git.coolaj86.com/coolaj86/greenlock.js.git ``` or ```bash npm install greenlock@latest ``` ~~Not yet. I'm looking into it and I would love help.~~
coolaj86 commented 2018-03-15 03:28:57 +00:00
Owner
Copy Link

According to that document this is the latest draft of the standard:

https://tools.ietf.org/html/draft-ietf-acme-acme-10

This is the new directory URL:

https://acme-staging-v02.api.letsencrypt.org/directory

I'm trying to understand what the technical differences are between the old implementation and the new.

I do know that only http and dns challenges will be supported at present.

Updated flow (in section 7.1):

                                  directory
                                      |
                                      +--> newNonce
                                      |
          +----------+----------+-----+-----+------------+
          |          |          |           |            |
          |          |          |           |            |
          V          V          V           V            V
     newAccount   newAuthz   newOrder   revokeCert   keyChange
          |          |          |
          |          |          |
          V          |          V
       account       |        order -----> finalize
                     |          |   -----> cert
                     |          |
                     |          V
                     +---> authorizations
                               | ^
                               | | "up"
                               V |
                             challenge

   +-----------------------+--------------------------+----------------+
   | Action                | Request                  | Response       |
   +-----------------------+--------------------------+----------------+
   | Get directory         | GET  directory           | 200            |
   |                       |                          |                |
   | Get nonce             | HEAD newNonce            | 200            |
   |                       |                          |                |
   | Create account        | POST newAccount          | 201 -> account |
   |                       |                          |                |
   | Submit order          | POST newOrder            | 201 -> order   |
   |                       |                          |                |
   | Fetch challenges      | GET  order               | 200            |
   |                       | authorizations           |                |
   |                       |                          |                |
   | Respond to challenges | POST challenge urls      | 200            |
   |                       |                          |                |
   | Finalize order        | POST order finalize      | 200            |
   |                       |                          |                |
   | Poll for status       | GET  order               | 200            |
   |                       |                          |                |
   | Download certificate  | GET  order cert          | 200            |
   +-----------------------+--------------------------+----------------+

The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js

I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js

Create Account

   POST /acme/new-account HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "jwk": {...},
       "nonce": "6S8IqOGY7eL2lsGoTZYifg",
       "url": "https://example.com/acme/new-account"
     }),
     "payload": base64url({
       "termsOfServiceAgreed": true,
       "contact": [
         "mailto:cert-admin@example.com",
         "mailto:admin@example.com"
       ]
     }),
     "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I"
   }

Create Authorization

   POST /acme/new-authz HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "uQpSjlRb4vQVCjVYAyyUWg",
       "url": "https://example.com/acme/new-authz"
     }),
     "payload": base64url({
       "identifier": {
         "type": "dns",
         "value": "example.net"
       }
     }),
     "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps"
   }

New Order 7.4. Applying for Certificate Issuance

   POST /acme/new-order HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "5XJ1L3lEkMG7tR6pA00clA",
       "url": "https://example.com/acme/new-order"
     }),
     "payload": base64url({
       "identifiers": [{"type:"dns","value":"example.com"}],
       "notBefore": "2016-01-01T00:00:00Z",
       "notAfter": "2016-01-08T00:00:00Z"
     }),
     "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g"
   }

Respond to Challenges 7.5.1. Responding to Challenges

   POST /acme/authz/1234/0 HTTP/1.1
   Host: example.com
   Content-Type: application/jose+json

   {
     "protected": base64url({
       "alg": "ES256",
       "kid": "https://example.com/acme/acct/1",
       "nonce": "Q_s3MWoqT05TrdkM2MTDcw",
       "url": "https://example.com/acme/authz/1234/0"
     }),
     "payload": base64url({}),
     "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
   }

HTTP-01 7.5.1. Responding to Challenges

//   keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
//   GET /.well-known/acme-challenge/:token

//   Must return {{ keyAuthorization }} as text

Key Authorization:

  keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))
According to that document this is the latest draft of the standard: https://tools.ietf.org/html/draft-ietf-acme-acme-10 This is the new directory URL: https://acme-staging-v02.api.letsencrypt.org/directory I'm trying to understand what the technical differences are between the old implementation and the new. I do know that only http and dns challenges will be supported at present. Updated flow (in section 7.1): ``` directory | +--> newNonce | +----------+----------+-----+-----+------------+ | | | | | | | | | | V V V V V newAccount newAuthz newOrder revokeCert keyChange | | | | | | V | V account | order -----> finalize | | -----> cert | | | V +---> authorizations | ^ | | "up" V | challenge ``` ``` +-----------------------+--------------------------+----------------+ | Action | Request | Response | +-----------------------+--------------------------+----------------+ | Get directory | GET directory | 200 | | | | | | Get nonce | HEAD newNonce | 200 | | | | | | Create account | POST newAccount | 201 -> account | | | | | | Submit order | POST newOrder | 201 -> order | | | | | | Fetch challenges | GET order | 200 | | | authorizations | | | | | | | Respond to challenges | POST challenge urls | 200 | | | | | | Finalize order | POST order finalize | 200 | | | | | | Poll for status | GET order | 200 | | | | | | Download certificate | GET order cert | 200 | +-----------------------+--------------------------+----------------+ ``` The ACME v1 protocol library is here https://git.coolaj86.com/coolaj86/le-acme-core.js I'm building out the ACME v2 library here https://git.coolaj86.com/coolaj86/acme-v2.js **Create Account** ``` POST /acme/new-account HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "jwk": {...}, "nonce": "6S8IqOGY7eL2lsGoTZYifg", "url": "https://example.com/acme/new-account" }), "payload": base64url({ "termsOfServiceAgreed": true, "contact": [ "mailto:cert-admin@example.com", "mailto:admin@example.com" ] }), "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I" } ``` **Create Authorization** ``` POST /acme/new-authz HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "uQpSjlRb4vQVCjVYAyyUWg", "url": "https://example.com/acme/new-authz" }), "payload": base64url({ "identifier": { "type": "dns", "value": "example.net" } }), "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" } ``` **New Order** 7.4. Applying for Certificate Issuance ``` POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "5XJ1L3lEkMG7tR6pA00clA", "url": "https://example.com/acme/new-order" }), "payload": base64url({ "identifiers": [{"type:"dns","value":"example.com"}], "notBefore": "2016-01-01T00:00:00Z", "notAfter": "2016-01-08T00:00:00Z" }), "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" } ``` **Respond to Challenges** 7.5.1. Responding to Challenges ``` POST /acme/authz/1234/0 HTTP/1.1 Host: example.com Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/1234/0" }), "payload": base64url({}), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } ``` **HTTP-01** 7.5.1. Responding to Challenges ``` // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) // GET /.well-known/acme-challenge/:token // Must return {{ keyAuthorization }} as text ``` **Key Authorization**: ``` keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) ```
coolaj86 commented 2018-03-20 07:26:36 +00:00
Owner
Copy Link

Good news, I've got a very simple hard-coded test working with the v2 API.

:)

The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible.

https://git.coolaj86.com/coolaj86/acme-v2.js

Good news, I've got a very simple hard-coded test working with the v2 API. :) The next step will be to match the previous API method names and parameters, if possible. I suspect that the abstract API will be backwards compatible. https://git.coolaj86.com/coolaj86/acme-v2.js
coolaj86 commented 2018-04-16 01:30:40 +00:00
Owner
Copy Link

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm!

v2.2.0

It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.

Great news! Let's Encrypt v2 (ACME draft 11) support has landed and is published on npm! v2.2.0 It works for me both forwards and backwards compatible. Please try it out and let me know that it works for you.
coolaj86 changed title from ACME v2 to Sticky: ACME v2 (now available) 2018-04-16 20:31:57 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
github
next
v4
npm
v3
wip
dns-challenge-regression-fix
v2.4
v2.5
v2.3
v2
v2.2
acmev2
v2.1
greenlock
v1
node-letsencrypt-python
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.5
v3.1.4
v3.1.3
v3.0.25
v3.0.24
v3.0.23
v3.0.21
v3.0.20
v3.0.19
v3.0.18
v3.0.17
v3.0.16
v3.0.15
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.23
v2.7.22
v2.7.21
v2.7.20
v2.7.19
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.14
v2.7.13
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.10
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.2
v2.4.1
v2.4.0
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.0
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v1.5.8
v2.0.5
v2.0.4
v1.5.7
v1.5.6
v1.5.5
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.2
v1.0.0
v1.0.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#5
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?