Implement acme draft release 0.9 (aka Let's Encrypt API v2)
Since, Let's Encrypt has now staging server implementing draft-ietf-acme-acme-09, we can now develop a new version of acme-dns-tiny script (v2).
Updates to apply:
- Renames API endpoints:
-
new-account to newAccount -
new-authz to newAuthz -
new-order to newOrder - revoke-cert to revokeCert (not used by acme-dns-tiny)
- key-change to keyChange (not used by acme-dns-tiny)
- Inside the Directory:
-
terms-of-service to termsOfService - website to webSite (not used by acme-dns-tiny)
- caa-identities to caaIdentities (not used by acme-dns-tiny)
-
-
- Check that HTTP requests follows these recommendations:
-
Be sure to use HTTPS as it is required (required) -
For new registration use of new-account instead of new-reg (required) -
Add a User Agent with client name and version (recommended) -
Set Accept-Language header to get localized error messages (recommended)
-
- JWS Objects updates:
-
Use of url
in the protected header instead ofresource
inside the payload -
Include jwk
in the protected header only when usingnewAccount
andrevokeCert
resources. For other requests, we have to includekid
(the account URI given on registration)-
Account key rollover has been modified to include the kid
instead of the oldjwk
in the request headers.
-
-
-
For acme_account_delete script, the draft allows to deactivate the account and not more to delete it -
Certification Appliance
-
Use newOrder
resource wiht one list of all names to validate instead of onenew-auth
by name-
The "identifiers" list contains list of DNS names paired to a type ( "identifiers": [{"type":"dns", "value": "example.com"}]
) -
Read section 7.1.3 to see how to define wildcard request
-
-
Get all challenges sending GET request to all authorizations
urls contained in the response. Selectdns-01
challenges. To get challenges section 7.5. -
Then, install all DNS resources -
Then, send POST to the finalize
address included in newOrder response. This POST message MUST include the CSR. -
If ok (see status in RFC), retrieve certificate from the certificate
value of the received JSON
-
-
Account registration -
acme-dns-tiny will receive a 200 status code) instead of conflict when the account already exists: so, we'll need to check contact informations on each run - Instead of always creating account, acme-dns-tiny can look for an account with the
onlyReturnExisting
field to true when requestingnew-reg
. It certainly could be used to simplify the code. Finally, we just uses this option for our tools to deactivate account and to rollover keys.
- Instead of always creating account, acme-dns-tiny can look for an account with the
-
If the server indicates terms of service to be agreed in its directory, acme-dns-tiny has to include termsOfServiceAgreed
field with valuetrue
when creating new account. (Currently, we always set it to True) - Check if the directory contains externalAccountRequired to true: in that case we should include externalAccountBinding to the request (provided inside the configuration). It will require some more developments and to complexify the code.
-
-
Account update will return a 200
(OK) status code instead of the current202
. -
Agreement of terms of service should need human manual interaction with ACME server (if CA wants it): the server will give an URL with a token to send to the user (acme-dns-tiny will raise an error with detailed informations as we won't add a library for email notification, administrator will have to configure their services to get mails/sms/whatever on error for this service). acme-dns-tiny can also retrieve directly new url of tos in the Link
header withrel="terms-of-service"