-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get ACMEv2 support in Certbot #5367
Comments
@jsha, I could use an ACMEv2 sanity check. Certbot has a flag called |
Yep, you'd create a second order. In practice Boulder would reuse the valid authorization, but true that that is not guaranteed by ACME. |
@joohoi and @ohemorange, we should come up with a plan for how we're going to handle wildcards in Apache and Nginx for I believe both of you have expressed a preference for the same plan: If the domain is a wildcard, show the user a list of vhosts to choose from. As far as I'm concerned, this can be all vhosts we'd consider for the request for now. Allow the user to select multiple vhosts and perform the enhancement or deploy the cert to all of them. We should make sure that things like redirects work for wildcard certs. Any objections or better ideas? (As a minor note, Certbot could ask Apache/Nginx to perform a challenge for a wildcard domain if a future ACME server supports wildcard issuance for HTTP/TLSSNI. Not sure what the (current) CA baseline requirements say here, but ACME has no objections to this. With this in mind, it might not be a bad idea to add a check for this early in |
As we discussed on the call, I'm going to take the Apache part here.
Yeah, I'm still convinced that this is the best option.
I don't think it could and/or should happen, as I tried to explain here, so I'd be in favor of not spending cycles on this ATM. |
This has been resolved! |
Step 2 of #5365
Certbot core
certbot.util.enforce_domain_sanity
that error on wildcards. We should still have code somewhere that errors if a wildcard is requested from a v1 endpoint because according to the spec "Wildcard domain names (with "*" as the first label) MUST NOT be included in authorization requests" and we should provide a clean error message to the user.--allow-subset-of-names
for ACMEv2. This could be done incertbot.client.obtain_certificate
, by having it repeatedly create a CSR, request anew_order
, and perform authorizations until all authorizations pass. If any fail, we should create a new CSR with only the domains that succeeded. The order/authorizations would then be passed toobtain_certificate_from_csr
.register
/new_account
on the client from the acme module when ACMEv2 is used. Doing this requires being able to get TOS from ACMEv2 directory, ideally without making the user of the ACME library reach into the directory object themselves. We also need to skip this code for ACMEv1 and not try and show TOS again after registering for ACMEv2. (Suggests acme change)new_account
/register
based on ACME version (Could be mitigated by Add automatic ACME protocol detection mechanism to the acme library #5491 or changes toacme.client.ClientV2
)certbot.client.obtain_certificate
because the CSR is needed earlier by the client in ACME. (Could be mitigated by Add automatic ACME protocol detection mechanism to the acme library #5491 or changes to ACMEv2: Add Order support #5374)certbot.auth_handler.get_authorizations
(or closely related function) should take a dict/list of authorization objects instead of domains. We can have another function on theauth_handler
take domains and create authzs if we wanted for convenience of supporting ACMEv1 (Could be mitigated by Add automatic ACME protocol detection mechanism to the acme library #5491 by keeping order object internal to acme client)Apache and Nginx
get_all_names
?if ($host = *.example.com) {
doesn't make sense for Nginx redirects.The text was updated successfully, but these errors were encountered: