-
-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACME v2 #457
Comments
Yes, I do plan on supporting the V2 API of Let's Encrypt along with ACMEv2. It will happen during my holidays in early January. |
And I will be available on standby to help where needed! |
I left a short comment on a similar issue in the Dehydrated repo with a quick list of differences that might help folks get a rough idea of the work involved. |
The staging endpoint for ACME v2 is out: https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605 😃 |
Yep. I'm already on it in a private branch. Will publish it to the repo once I'm happy with it so you people can have a look and give feedback. |
At the risk of sounding ungrateful, is there a status update on this? I'd love to be able to integrate and test things out before LE goes live this month. |
Also eagerly waiting support so we can leverage it in Terraform! |
Hey all! I'm sorry this is getting delayed but I had a lot more work in my day job than I anticipated during this time. Be assured that I'm working on this as much as possible though. |
So another question just popped up and I wanted to see what all of you think. |
Do you think the client api will need to change though? My code uses Possibly my saved json files for accounts and certificates would be invalid moving from v1 to v2? But I hope not. In my dream scenario, the package recognizes automatically which version to use based on the directory endpoint you give it. Maybe have explicit v1 and v2 packages, but the |
No, there are currently no changes to the existing API, only internal changes and new functions as V2 offers more endpoints.
No. The protocol is not versioned at all, the whole "V2" is just because LE chose to name their endpoint that way. The ACME protocol itself was never standardized and so did not have a V1.
Most likely. All messages are different and existing AuthZ are not transferred to the V2 endpoint, accounts are though so we may look at transferring them. |
Looks like they delayed their live rollout a little bit. https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654 |
Hello @xenolf,
If the API does not change, maybe the best solution would be to use type aliases? WDYT? |
That's awesome news. Seems we're waiting on @xenolf here, and maybe there are some time demands outside his control. I've got a dev environment set up and I'll try giving it a shot at converting to v2 myself. |
Should only be a couple of hours :) |
You can find initial ACMEv2 support in the acmev2 branch. Anyways, you should be able to get a certificate from the V2 endpoint (yes, wildcards) and it should not need many changes to your code. Please report any problems you encounter with it and also please let me know your thoughts about the naming - I spent a considerable amount of time on thinking about that and didn't come up with a really good solution. |
Had to remove Azure as a dns provider, seems like they removed the sdk for dns or something from github, didn't investigate too much. When I try a run, I get the following error:
|
I replaced the import string in the azure.go providers directory with acmev2 branch has the go update still broke after that so I just removed azure and updated. Once the go update completed (-azure) the process worked flawlessly. |
Hrm, @shaunbro I did switch to the acmev2 branch, not sure what else I'm missing. edit: nevermind it worked, didn't occur to me I needed to add |
Awesome. Super excited to test this tomorrow. One thing I noticed: the v1 and v2 directory endpoints have a noticeably different structure. Field names moved from underscore_case to camelCase, and some things like that. What if...
|
ACME v1 was never standardized and will be phased out. I don't really see a point in trying to keep it alive, other than to have it available for a while if people still need it; but I think everyone will be moving to v2. And if not, they'll have to anyway as v1 will be discontinued. In other words, I would rather we not make design decisions with the hope of preserving v1... but that's just me. 😇 |
Wow! this is working great. I managed to issue some certs with multiple wildcards and everything. I did manage to get it to crash a few times. I think I failed some validations and then ran again, and it gave some super odd output and paniced:
This is against the staging LE server. It seems to be pretty consistent, so maybe I can help get more output to debug with. |
Wow that's a weird error. I am sure it didn't do any validations in under a second. Were there some odd circumstances you could identify? If a challenge fails to verify, it should have been logged. |
The previous run to the panics ended with |
I will see if I can reproduce when I get home today. |
@captncraig I pushed the missing return statements. The process should now properly abort on error. |
@captncraig It seems like your issue is because of overlapping wildcard domains. An issue will be opened in boulder to improve the error message that is returned. |
What do you mean overlapping? It does seem related to boulder though. If I request without any wildcards it proceeds. If I add any wildcards now it gives the "error creating order". I think I may have messed up something in my account. |
Oh, the wildcard name conflicts with a non-wildcard name. Gotcha. Can't do |
letsencrypt/boulder#3558 is the Boulder issue to track (edit: Thanks for the bug report folks!!!) |
(Another good reason Caddy doesn't try to put multiple names on a cert! 🕺 - keeps things simpler) This is working pretty great in Caddy. I've just about figured out the updated flow as far as user accounts and wildcards go. Great work, @xenolf! |
When I use renew lego is using *.domain instead of _. it is also another domain from many i use :) |
@Knight1 As I wrote above, old certificate descriptors are not compatible with the new format. As such you need to use |
I used run many times but i have an idea. I switched the commonName from .us Domain to .de. And he used the .us Domain. Maybe this is the case here. Will test it tomorrow but you might have an idea :) |
@xenolf in the master branch, lego will use the first domains value mentioned by user as certificate's CN and file name. in this version it uses the first domains in alphabetical order (i think) for run only. for renew it still try to use master's behavior, so it can't find the files. FWIW, I still prefer the old behavior so I can choose which domain as CN. |
@jahmad That is a regression and not expected. Boulder seems to return the identifiers in alphabetical order in the response to the order creation request and not in the same order we submit them. I'll take a closer look at that. |
As a quick update: letsencrypt/boulder#3558 is fixed in master, and the staging environment. The bug was not present in production. There shouldn't be any further staging newOrder 500s. Please open a Boulder issue if you find any! Thanks! |
@cpu Do you know if it is intentional that boulder returns the identifiers you request in an order in alphabetical order in the response to "new-order"? |
It's intentional. This happens at the RA level. We normalize the names before storing the order with That function returns the names in alphabetical order: https://github.com/letsencrypt/boulder/blob/7e5f22dd8d35c8f48dac8ff241b61cee41296dac/core/util.go#L203:L218 The specification doesn't say anything about identifier order in the order (wow that's confusing to say) so I think the safest bet is to not assume anything about the order of the identifiers in the order returned by the server. Boulder sorts them but another ACME server may not. If pressed to change I would probably advocate for Boulder to move towards randomizing the identifier order in the order response to emphasize that it shouldn't be relied upon (Sounds like a good idea for Pebble actually! - letsencrypt/pebble#104). |
@cpu thanks for the clarification! |
As far as I can tell common name usage is deprecated and will probably be removed from browsers: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo |
@arnested my main concern is seeing my typo domain as CN, it just feels ugly :) |
@zatricky nobody disputing that. Yes, browser will only use SAN and ignore CN for verification. There is no problem whatsoever with that reality. None. Zilch. |
@xenolf , is there an update when acmev2 branch will be merged? Is there any blocker other than the CN order issue? |
@xenolf Any update on when the acmev2 branch will be merged to master? |
any update? |
I, along with many others, am super excited about Let's Encrypt supporting wildcard certs in 2018. According to their latest blog they should have a test endpoint up in early January.
I really like this library, as it has saved me from having to deal with acme directly at all. Is acme v2 and wildcard support on your radar at all? I am not even sure what the major differences are, or what is involved in upgrading. Will a single library be able to handle both, or will a separate package be needed?
If I had all my dreams come true I would love for lego to let me get wildcard certs asap, but I know this is may be a considerable undertaking. Thanks for everything.
The text was updated successfully, but these errors were encountered: