GitLab

Since, Let's Encrypt has now staging server implementing draft-ietf-acme-acme-09, we can now develop a new version of acme-dns-tiny script (v2).

Updates to apply:

• Renames API endpoints:
  • new-account to newAccount
  • new-authz to newAuthz
  • new-order to newOrder
  • revoke-cert to revokeCert (not used by acme-dns-tiny)
  • key-change to keyChange (not used by acme-dns-tiny)
  • Inside the Directory:
    • terms-of-service to termsOfService
    • website to webSite (not used by acme-dns-tiny)
    • caa-identities to caaIdentities (not used by acme-dns-tiny)
• Check that HTTP requests follows these recommendations:
  • Be sure to use HTTPS as it is required (required)
  • For new registration use of new-account instead of new-reg (required)
  • Add a User Agent with client name and version (recommended)
  • Set Accept-Language header to get localized error messages (recommended)
• JWS Objects updates:
  • Use of url in the protected header instead of resource inside the payload
  • Include jwk in the protected header only when using newAccount and revokeCert resources. For other requests, we have to include kid (the account URI given on registration)
    • Account key rollover has been modified to include the kid instead of the old jwk in the request headers.
• For acme_account_delete script, the draft allows to deactivate the account and not more to delete it
• Certification Appliance
  • Use newOrder resource wiht one list of all names to validate instead of one new-auth by name
    • The "identifiers" list contains list of DNS names paired to a type ("identifiers": [{"type":"dns", "value": "example.com"}])
    • Read section 7.1.3 to see how to define wildcard request
  • Get all challenges sending GET request to all authorizations urls contained in the response. Select dns-01 challenges. To get challenges section 7.5.
  • Then, install all DNS resources
  • Then, send POST to the finalize address included in newOrder response. This POST message MUST include the CSR.
  • If ok (see status in RFC), retrieve certificate from the certificate value of the received JSON
• Account registration
  • acme-dns-tiny will receive a 200 status code) instead of conflict when the account already exists: so, we'll need to check contact informations on each run
    • Instead of always creating account, acme-dns-tiny can look for an account with the onlyReturnExisting field to true when requesting new-reg. It certainly could be used to simplify the code. Finally, we just uses this option for our tools to deactivate account and to rollover keys.
  • If the server indicates terms of service to be agreed in its directory, acme-dns-tiny has to include termsOfServiceAgreed field with value true when creating new account. (Currently, we always set it to True)
  • Check if the directory contains externalAccountRequired to true: in that case we should include externalAccountBinding to the request (provided inside the configuration). It will require some more developments and to complexify the code.
• Account update will return a 200 (OK) status code instead of the current 202.
• Agreement of terms of service should need human manual interaction with ACME server (if CA wants it): the server will give an URL with a token to send to the user (acme-dns-tiny will raise an error with detailed informations as we won't add a library for email notification, administrator will have to configure their services to get mails/sms/whatever on error for this service). acme-dns-tiny can also retrieve directly new url of tos in the Link header with rel="terms-of-service"