Commit 5a53c425 authored by Adrien Dorsaz's avatar Adrien Dorsaz

Use of ACMEDirectory instead of CAUrl part 1/3

This commit update configuration constraints to use ACMEDirectory instead of CAUrl.
Next part will use effectively this new configuration to do requests to ACME server.
parent 85355c11
......@@ -38,7 +38,7 @@ def get_crt(config, log=LOGGER):
def _send_signed_request(url, payload):
payload64 = _b64(json.dumps(payload).encode("utf8"))
protected = copy.deepcopy(header)
protected["nonce"] = urlopen(config["acmednstiny"]["CAUrl"] + "/directory").headers["Replay-Nonce"]
protected["nonce"] = urlopen(config["acmednstiny"]["ACMEDirectory"]).headers["Replay-Nonce"]
protected64 = _b64(json.dumps(protected).encode("utf8"))
signature = _openssl("dgst", ["-sha256", "-sign", config["acmednstiny"]["AccountKeyFile"]],
"{0}.{1}".format(protected64, payload64).encode("utf8"))
......@@ -240,12 +240,12 @@ def main(argv):
args = parser.parse_args(argv)
config = ConfigParser()
config.read_dict({"acmednstiny": {"CAUrl": "https://acme-staging.api.letsencrypt.org",
"CheckChallengeDelay": 2},
config.read_dict({"acmednstiny": {"ACMEDirectory": "https://acme-staging.api.letsencrypt.org/directory",
"CheckChallengeDelay": 2},
"DNS": {"Port": "53"}})
config.read(args.configfile)
if (set(["accountkeyfile", "csrfile", "caurl", "checkchallengedelay"]) - set(config.options("acmednstiny"))
if (set(["accountkeyfile", "csrfile", "acmedirectory", "checkchallengedelay"]) - set(config.options("acmednstiny"))
or set(["keyname", "keyvalue", "algorithm"]) - set(config.options("TSIGKeyring"))
or set(["zone", "host", "port"]) - set(config.options("DNS"))):
raise ValueError("Some required settings are missing.")
......
......@@ -2,9 +2,9 @@
# Required readable ACME account key
AccountKeyFile = account.key
# Required readable CSR file
# Optional CA url (default: https://acme-staging.api.letsencrypt.org)
CAUrl = https://acme-staging.api.letsencrypt.org
CSRFile = domain.csr
# Optional ACME directory url (default: https://acme-staging.api.letsencrypt.org/directory)
ACMEDirectory = https://acme-staging.api.letsencrypt.org/directory
# Optional time in seconds to wait between DNS update and challenge check (default: 3)
CheckChallengeDelay = 3
......
import subprocess, os, json, base64, binascii, re, copy, logging
from urllib.request import urlopen
CAURL = os.getenv("GITLABCI_CAURL", "https://acme-staging.api.letsencrypt.org")
ACMEDirectory = os.getenv("GITLABCI_ACMEDIRECTORY", "https://acme-staging.api.letsencrypt.org/directory")
LOGGER = logging.getLogger(__name__)
LOGGER.addHandler(logging.StreamHandler())
......@@ -26,7 +26,7 @@ def delete_account(accountkeypath, log=LOGGER):
def _send_signed_request(url, payload):
payload64 = _b64(json.dumps(payload).encode("utf8"))
protected = copy.deepcopy(header)
protected["nonce"] = urlopen(CAURL + "/directory").headers["Replay-Nonce"]
protected["nonce"] = urlopen(ACMEDirectory).headers["Replay-Nonce"]
protected64 = _b64(json.dumps(protected).encode("utf8"))
signature = _openssl("dgst", ["-sha256", "-sign", accountkeypath],
"{0}.{1}".format(protected64, payload64).encode("utf8"))
......
......@@ -4,7 +4,7 @@ from subprocess import Popen
# domain with server.py running on it for testing
DOMAIN = os.getenv("GITLABCI_DOMAIN")
CAURL = os.getenv("GITLABCI_CAURL", "https://acme-staging.api.letsencrypt.org")
ACMEDIRECTORY = os.getenv("GITLABCI_ACMEDIRECTORY", "https://acme-staging.api.letsencrypt.org/directory")
CHALLENGEDELAY = os.getenv("GITLABCI_CHALLENGEDELAY", "3")
DNSHOST = os.getenv("GITLABCI_DNSHOST")
DNSHOSTIP = os.getenv("GITLABCI_DNSHOSTIP")
......@@ -48,7 +48,7 @@ def gen_config():
# Default test configuration
config = configparser.ConfigParser()
config.read("./example.ini".format(DOMAIN))
config["acmednstiny"]["CAUrl"] = CAURL
config["acmednstiny"]["ACMEDirectory"] = ACMEDIRECTORY
config["acmednstiny"]["CheckChallengeDelay"] = CHALLENGEDELAY
config["TSIGKeyring"]["KeyName"] = TSIGKEYNAME
config["TSIGKeyring"]["KeyValue"] = TSIGKEYVALUE
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment