Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: ACMEv2 support #464

Closed
schmittyd opened this Issue Jun 24, 2017 · 34 comments

Comments

Projects
None yet
@schmittyd
Copy link

commented Jun 24, 2017

Is it possible to add support for NGINX and wildcard domains (subdomains)?

@rdebath

This comment has been minimized.

Copy link

commented Jun 24, 2017

no yes

@andi-blafasl

This comment has been minimized.

Copy link

commented Jul 12, 2017

Maybe in January 2018 Let's Encrypt will support Wildcard certificates with the ACMEv2 Protocol.

Are there any plans to update letsencrypt-win-simple to support the new Version of the ACME Protocol?

@rdebath

This comment has been minimized.

Copy link

commented Jul 12, 2017

Oh, that used to just say no. The requirement for DNS-01 validation makes sense and the protocol changes look pretty small.

I imagine IIS will be the problem.

@WouterTinus WouterTinus changed the title Feature Request: NGINX and wildcard domain support Feature request: wildcard domain support Sep 20, 2017

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Sep 20, 2017

I'm going to highjack this issue for wildcard support. If anyone is still interested in the NGINX part, please open a new one.

@zyo2012

This comment has been minimized.

Copy link

commented Oct 5, 2017

I'm looking for using the wildcard when available in 2018. When the renews occurred, it should update all sites that use the wildcards.

@WouterTinus WouterTinus changed the title Feature request: wildcard domain support Feature request: ACMEv2 support Feb 15, 2018

@dlidstrom

This comment has been minimized.

Copy link

commented Feb 23, 2018

Related ACMESharp issue: ebekker/ACMESharp#260

@phairplay

This comment has been minimized.

Copy link

commented Mar 31, 2018

Hello
I'm using nginx on Windows and was hoping to obtain a wildcard ask cert

Is there any update on when this will. E included?

@HyramTang

This comment has been minimized.

Copy link

commented Apr 12, 2018

Hello, Does anyone know how to support wildcards?

@Bortxx

This comment has been minimized.

Copy link

commented Apr 21, 2018

Is wild card cert support ready yet?

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Apr 21, 2018

Wildcard support is not likely to appear anytime soon. There has been some work on a new version of ACMESharp with ACMEv2 support, but it's not exactly close to release or even actively in development. At this point there are roughly three courses of action to move this issue forward:

1a - wait for the ACMESharp project to get their v2 support out (if ever).
1b - divert time from this project to ACMESharp to help them get it out.
2 - find another library to build win-acme on while maintaining compatibility.
3 - write our own protocol layer, based on ACMESharp and perhaps others

I have not decided yet which would be the best way to move forward. I like the idea of having a common ACME(v2) library that different tools can use,, but which or whose library it should be is difficult to say. Having control is nice, but duplicating efforts is a waste of valuable time and having others fix bugs before you even knew they were there is great.

I consider ACMEv2 support crucial for the long term viability of this project and it's the first major thing I'll start working on once I have time, but for personal reasons I'm not able to spend much of that on open source development right now. Unless other devs step up, it will be a while.

@AndreiPukrov

This comment has been minimized.

Copy link

commented Apr 25, 2018

@WouterTinus which work did you are referring? Since 6 month I do not see any actions on ACMESharp and for me it looks like it is death since a half year. ZeroSSL seamed to be very active, maybe its time to switch?

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Apr 25, 2018

I was referring to https://github.com/PKISharp/ACMESharpCore - but that effort seems to have stopped around the same time as the main branch. ZeroSSL looks very feature complete but it's written in Perl so it's not of much use for this (C#) project. Can be a useful as a reference though.

@ebekker

This comment has been minimized.

Copy link
Member

commented Apr 28, 2018

As of today, ACMESharpCore work is in progress again...

@SteffenAL

This comment has been minimized.

Copy link

commented Apr 29, 2018

Thanks. That is good news !

@vineetkr1985

This comment has been minimized.

Copy link

commented Jul 21, 2018

Hi @WouterTinus ,
Can I know when letsencrypt win simple for ACMEv2 wildcard support will be available for us? Is there any possibility for launching by July end?

Thanks in Advance

@AndreiPukrov

This comment has been minimized.

Copy link

commented Jul 28, 2018

@vineetkr1985
The developer from that solution is @ebekker and you can see the latest status here: https://github.com/PKISharp/ACMESharpCore however there is no ETA provided yet. So we still need to wait...

@ebekker

This comment has been minimized.

Copy link
Member

commented Jul 31, 2018

Just to provide an update on ACMESharpCore that is relevant to win-acme -- all the functionality for ACME protocol is done, the 2.x core protocol client in its current stage is actually more feature complete than the original 1.x client.

What I'm working on now is actually refining the API and "in-the-box" support for things like cert and key management, but those things are ancillary to the ACME v2 protocol support. So if win-acme has its own way of managing that (like storing things in the registry or using .NET Framework APIs for things like key pair and CSR generation), then you likely won't care of about that anyway.

My approach to refining the API and seeing what would be needed is by working through several example applications and seeing what is awkward, difficult or impossible to do with the ACMESharp client library, but 2 of these are already complete and working so they can provide sufficient guidance in using the client library.

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Jul 31, 2018

For my part, I'm working on a branch of win-simple based on the ACMESharpCore library. So far it doesn't look like it would be very difficult to release a version based on that, but I'm still in dubio about how to handle upgrades and backwards compatibility.

@ebekker

This comment has been minimized.

Copy link
Member

commented Jul 31, 2018

Which components are you looking to keep backward compatible, the locally stored assets, such as private account key, order details, certificates?

Does win-acme store all those using .NET Framework artifacts, such as export of AsymmetricAlgorithm instance and X509Certificate2 instance? If so and those are the elements you're referring to, I believe you should be able to continue to use those.

@Dragonsangel

This comment has been minimized.

Copy link
Contributor

commented Oct 26, 2018

@WouterTinus do you have an update on this feature for us?

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Oct 28, 2018

Hi @Dragonsangel - I ran into some roadblocks moving to .NET Standard, but now I have my builds and dependencies in order and some of the basics are working, i.e. setting up the connection and making a new registration. Next up is obviously validation and certificate generation. I made some attempts to run v1 and v2 side by side, but that is proving too difficult, so we might be looking at a 2.0 release that is ACMEv2 only.

Obviously then I'll want to have a migration plan in place for v1.x users and consider which (if any) other mayor changes should be done for v2 (e.g. dropping some more dependencies and legacy ugliness).

@TeamKinetic

This comment has been minimized.

Copy link

commented Nov 5, 2018

Good work everyone, looking forward to using wildcard certificates!

@wlpdrpat

This comment has been minimized.

Copy link

commented Nov 29, 2018

Hi @WouterTinus - any further updates on the 2.0 development? Time frame for release?

@webprofusion-chrisc

This comment has been minimized.

Copy link
Contributor

commented Nov 30, 2018

One of the major issues I found while developing the latest version of Certify with wildcard support was that your reliance on DNS providers increases massively, as does the requirement to securely store DNS API credentials so you can do auto renewals.

From a maintainers point of view, it's worth considering these points up front as otherwise the level of support requests for help with manual DNS challenges and custom DNS scripting will increase dramatically.

@Daniel15

This comment has been minimized.

Copy link

commented Dec 1, 2018

as does the requirement to securely store DNS API credentials so you can do auto renewals.

acme-dns helps with that. It's a DNS server that is designed specifically to serve the TXT validation records. It provides an API to only set those records, with validation (the records are only allowed if they're the exact length and format that ACME uses). The idea is that you run it separately from your main DNS server, and CNAME the _acme-challenge subdomain to it. Because of this, it greatly reduces the surface area accessible by the API keys. It works very well!

Of course, installing/configuring acme-dns is extra work you need to do. You do need a public IP for its DNS server to be reachable, but it's perfectly fine with being IPv6-only. Let's Encrypt has no trouble connecting to DNS servers that only listen on IPv6 addresses, and most servers have a bunch of IPv6 addresses they're not using.

@webprofusion-chrisc

This comment has been minimized.

Copy link
Contributor

commented Dec 1, 2018

@Daniel15 thanks, yes I've been looking into that. Incidentally my plan with Certify is to offer a supported hosted DNS CNAME redirection service that other clients can also have plugins for, so a bit like acme-dns but the only setup would be to register for an API key then set your CNAME in DNS (per domain), thereafter updates would be automatic. There is a security consideration regarding safety of people's certificates if someone compromises the service or gets your API key, so that needs more thought, possibly a 2FA option or notification whenever an update happens.

@Daniel15

This comment has been minimized.

Copy link

commented Dec 1, 2018

@webprofusion-chrisc

so a bit like acme-dns but the only setup would be to register for an API key then set your CNAME in DNS (per domain), thereafter updates would be automatic.

So, exactly like acme-dns, but with someone else hosting it? 😛

The creator of acme-dns used to run a public instance, but phased it out a while back. I think he didn't want people to be relying on his hosted version in case it ever went down.

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Dec 23, 2018

Finally got a day off to work ACMEv2. Testing this is the first step towards wildcard support, so everyone who's eager to have that is invited to help in the effort!

https://github.com/PKISharp/win-acme/releases/tag/v2.0.0-alpha1

@WouterTinus WouterTinus self-assigned this Dec 31, 2018

@WouterTinus WouterTinus added this to the v2.0.0 milestone Dec 31, 2018

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Dec 31, 2018

Just got it working for the next beta! Now it doesn't have to be a new years resolution to add it. Will upload a new beta build after the party tonight :)

@jhughes-mc

This comment has been minimized.

Copy link

commented Jan 8, 2019

Running alpha2. Unable to get it to validate a wildcard cert. Tried filesystem validation too. It all seems to work fine if it's not a wildcard. Any way to get more logging out of this?

wacs.exe --target manual --host *.domain.com --validationmode http-01 --validation selfhosting --verbose

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 200.0.6940.36971 (RELEASE)
 [INFO] IIS version 7.5
 [INFO] ACME server https://acme-v02.api.letsencrypt.org/
 [INFO] Please report issues at https://github.com/PKISharp/win-acme

 [INFO] Running in mode: Unattended
 [INFO] Target generated using plugin Manual: *.domain.com
 [EROR] Validation plugin SelfHosting cannot validate this target
 [EROR] No validation plugin could be selected
@Daniel15

This comment has been minimized.

Copy link

commented Jan 8, 2019

@jhughes-mc I haven't tried this build of win-acme yet, but Let's Encrypt wildcard certs require DNS validation. You can't use HTTPS validation, which it looks like you're trying to use.

@WouterTinus

This comment has been minimized.

Copy link
Member

commented Jan 9, 2019

That's right wildcards can only be validated using DNS methods. I guess the error message should be improved because not everyone is going to be familiar with the LE specifics.

@jhughes-mc

This comment has been minimized.

Copy link

commented Jan 9, 2019

@Daniel15 @WouterTinus Thanks for the tip. I missed while reading that wildcards require DNS. Any recommendations for getting this hooked into Cloudflare on a windows machine? I'm finding plenty of other ACMEv2 clients with Cloudflare support but none of them also install and configure the certificate. Maybe I can find a Cloudflare powershell script and tie it into win-acme?

@webprofusion-chrisc

This comment has been minimized.

Copy link
Contributor

commented Jan 10, 2019

@jhughes-mc Posh-Acme has a bunch of DNS scripts: https://github.com/rmbolger/Posh-ACME, Certify has cloudflare and wildcards etc but is a GUI not a CLI so may not be what you need. You could also just use curl or similar to talk to the cloudflare API as I don't think powershell is a requirement of win-acme.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.