Skip to content

Productionize ACME certificate issuance#361

Merged
kacy merged 1 commit intomainfrom
tls-acme-productionize
Mar 30, 2026
Merged

Productionize ACME certificate issuance#361
kacy merged 1 commit intomainfrom
tls-acme-productionize

Conversation

@kacy
Copy link
Copy Markdown
Owner

@kacy kacy commented Mar 30, 2026

Summary

  • replace the placeholder-gated ACME flow with real issuance and renewal handling
  • share one ACME issuance path across startup provisioning, proxy renewal, and cert CLI commands
  • document the supported ACME/TLS behavior and current limits

What Changed

  • ACME runtime now reads replay nonces and location headers, captures real order URLs, and polls authorization and order state before finalizing and downloading certificates
  • startup TLS provisioning now starts the TLS proxy first, then provisions through the live HTTP-01 challenge path
  • yoq cert provision and yoq cert renew now run through a standalone HTTP-01 challenge server on port 80
  • shell completion and TLS docs now match the current CLI and behavior

Validation

  • env YOQ_SKIP_SLOW_TESTS=1 ZIG_GLOBAL_CACHE_DIR=.zig-global-cache ZIG_LOCAL_CACHE_DIR=.zig-local-cache zig build test
  • Result: 1727 passed; 25 skipped; 0 failed

Current Limits

  • ACME uses HTTP-01 only
  • the target host must be reachable on port 80 during provision and renewal
  • standalone yoq cert provision and yoq cert renew currently require --email

@kacy kacy merged commit 0973860 into main Mar 30, 2026
6 of 7 checks passed
@kacy kacy deleted the tls-acme-productionize branch March 30, 2026 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kacy