Skip to content

ACMEOW v1.1.6

Latest
Latest

Choose a tag to compare

View all tags
@miichoow miichoow released this 22 May 15:42
· 1 commit to main since this release
v1.1.6
4e27cbc

ACMEOW v1.1.6

Release Date: May 22, 2026
Version: v1.1.6
Commits: 726a5ed, 2377f20

Production-grade ACME protocol client library for Python.

What's New

Fix: verify_ssl=False Now Works Through CONNECT Proxies

With requests 2.34+ / urllib3 2.x, setting session.verify=False no longer
propagates an ssl_context to the ProxyManager, so the environment's default
SSLContext (which validates certificates) was silently used for tunnelled HTTPS
connections. This broke interception proxies such as Burp Suite when paired with
a custom CA or when operating against non-public ACME endpoints.

A custom _NoVerifyAdapter is now mounted on the session whenever
verify_ssl=False, injecting an explicit non-verifying SSLContext into both
the PoolManager (direct connections) and the ProxyManager (CONNECT-tunnelled
connections).

client = AcmeClient(
    server_url="https://acme.internal/directory",
    email="admin@example.com",
    storage_path=Path("./acme_data"),
    verify_ssl=False,   # now reliably skips verification through CONNECT proxies
)

The verify_ssl parameter on both AcmeClient and AcmeHttpClient now accepts
a str in addition to bool, allowing a path to a custom CA bundle to be
passed directly:

client = AcmeClient(
    server_url="https://acme.internal/directory",
    email="admin@example.com",
    storage_path=Path("./acme_data"),
    verify_ssl="/path/to/burp-ca.pem",  # custom CA bundle
)

Behaviour details:

  • verify_ssl=True (default) — unchanged, uses the system CA bundle
  • verify_ssl=False — mounts _NoVerifyAdapter; suppresses InsecureRequestWarning via urllib3
  • verify_ssl="/path/to/ca.pem" — passed through to requests as before
  • No change to default behaviour for callers that do not set verify_ssl

Fix: Finalization No Longer Stalls on CAs That Keep Orders in pending

Some CAs never transition an order from pending to ready, even after all
authorizations are validated — they accept the CSR directly and respond with the
certificate. The finalize_order() polling loop previously waited for the
ready state exclusively, causing an AcmeOrderError timeout against these
CAs.

The loop now also breaks on pending (in addition to ready) once
authorizations are validated, letting the server accept or reject the CSR
submission. If the CA considers the order not actually ready, it will return an
appropriate ACME error at that point.

Behaviour details:

  • ready and pending are both treated as "proceed to CSR submission" states
  • invalid still raises AcmeOrderError immediately
  • Fully backwards-compatible — CAs that do transition to ready are unaffected

Installation

pip install acmeow
pip install acmeow[dns-route53]  # AWS Route53
pip install acmeow[all]          # All optional dependencies

Requirements

  • Python 3.10+
  • cryptography >= 41.0.0
  • requests >= 2.31.0
  • requests[socks] >= 2.31.0

Testing & Quality Metrics

  • 433 tests passing
  • Tested on Python 3.10, 3.11, 3.12, 3.13
  • Cross-platform support (Linux, macOS, Windows)

License

Apache License 2.0

Assets 2
Loading