Rewrite ACME issuer for v2, and make validation process asynchronous #309
Conversation
jetstack-bot
added
release-note
munnerz
changed the title
jetstack-bot
added
the
do-not-merge/work-in-progress
|
Still TODO: As part of making the authorization process asynchronous we need to make the DNS and HTTP01 challenge solver idempotent (so the names of resources it creates must be looked up instead of stored in memory) |
munnerz
force-pushed
the
acmev2
branch
5 times, most recently
from
e29b2e5
to
7a99b8c
Compare
|
/retest |
|
Currently failing due to the aforementioned TODO: Also waiting for this to merge in Pebble: letsencrypt/pebble#94 |
@munnerz That's on my plate for today 👍 |
|
Hey @munnerz, I know you've marked this PR as not ready yet, but I was super-keen to try it out, so went ahead and compiled it myself. It didn't work for me, because the Feel free to ignore if you're already aware of this, but I thought it was a bit weird so thought I'd let you know. Here's my cluster issuer yaml: |
|
Thanks for trying it out!
I'm aware of the issues around the new account registration and have been
making some changes to Pebble to accommodate them (Pebble did not support
parts of the user registration flow in the past).
I'll be updating this PR in the coming week so it's passing e2e tests.
In the meantime, I think reverting the (manual) changes I've made to the
acme v2 library should make it work properly with the staging endpoint
…On Sun, 18 Feb 2018 at 16:08, Mark Nuttall-Smith ***@***.***> wrote:
Hey @munnerz <https://github.com/munnerz>, I know you've marked this PR
as not ready yet, but I was super-keen to try it out, so went ahead and
compiled it myself. It didn't work for me, because the
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct endpoint was
returning HTTP 200, but with an empty body which caused the decoding at
third_party/crypto/acme/acme.go:556 to fail.
I0218 16:53:19.071128 82052 acme.go:105] getting private key (letsencrypt-staging->tls.key) for acme issuer cert-manager/letsencrypt-staging-cluster-issuer-v2
I0218 16:53:19.909230 82052 setup.go:59] letsencrypt-staging-cluster-issuer-v2: Failed to verify ACME account: acme: invalid response: EOF
I0218 16:53:19.909303 82052 helpers.go:112] Setting lastTransitionTime for ClusterIssuer "letsencrypt-staging-cluster-issuer-v2" condition "Ready" to 2018-02-18 16:53:19.909295374 +0100 CET m=+15.560314114
I0218 16:53:19.909332 82052 sync.go:40] Error initializing issuer: acme: invalid response: EOF
Feel free to ignore if you're already aware of this, but I thought it was
a bit weird so thought I'd let you know.
Here's my cluster issuer yaml:
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-cluster-issuer-v2
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ***@***.***
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#309 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMbP-2OEqwUQR9nAzr8jNTh34uEewzoks5tWEsJgaJpZM4SAsaf>
.
|
|
Follow up (just remembered there's another significant part of this PR that will make it not work): Still TODO: As part of making the authorization process asynchronous we need to make the DNS and HTTP01 challenge solver idempotent (so the names of resources it creates must be looked up instead of stored in memory). Until this is done, when using HTTP01 you'll see hundreds of acmesolver pods created so please do not use this on a production cluster 😄 |
|
@munnerz PR needs rebase |
jetstack-ci-bot
added
the
needs-rebase
jetstack-ci-bot
removed
the
needs-rebase
munnerz
force-pushed
the
acmev2
branch
3 times, most recently
from
a0df9f5
to
6d72597
Compare
|
/retest |
1 similar comment
|
/retest |
Fixes for ACME client http transport
|
/retest |
…f GetOrder in issue.
|
/retest |
|
Re running tests with cloudflare dns01 provider tests enabled /test e2e |
|
@munnerz: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/skip |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kragniz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
What this PR does / why we need it:
Adds support for the ACME v2 protocol in favour of v1
Which issue this PR fixes: fixes #273
Special notes for your reviewer:
This PR is not ready yet. We need to validate and ensure boulder runs with the v2 protocol enabled during our e2e tests. In future we can switch to something like pebble, a lightweight alternative to boulder.I've updated the PR to use Pebble instead of Boulder during e2e tests
I have also copied across the upcoming
golang.org/x/crypto/acme/v2package from the gerrit codereview so we can get ahead of the curve on testing this: https://go-review.googlesource.com/c/crypto/+/86635I have also not tested whether it is possible to obtain wildcard certificates with this yetI have managed to obtain a wildcard certificate with this PR!
Release note: