google / acme Goto Github PK
View Code? Open in Web Editor NEWA simple ACME command line tool without 3rd party deps!
License: Apache License 2.0
A simple ACME command line tool without 3rd party deps!
License: Apache License 2.0
Currently the cert command uses the first domain name to name the generated host key and certificates. When generating several certificates at once this naming is inconvenient and I have to rename the files in my shell script wrapper for the tool into domain-independent names that are used in a web server config. It would be nice to allow to name the files explicitly.
I can't seem to make a valid account.key to make goacme work on windows. If i use putty to generate a SSH-2 RSA key I get: account key: no block found in "C:\Users\james.config\acme\account.key"
The documentation doesn't explain how to create account.key.
Some kind of a reverse proxy. Similar to autocert but command line version.
Add a helper func so that people can do something like goacme.ListenAndServerTLS
instead of http.ListenAndServerTLS
.
Thanks @bradrydzewski for the idea.
ACMEv1 sunset currently breaks at least acme reg
:
$ acme reg -gen mailto:[email protected]
403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
That's completely in-sync with the sunset plan outlined at the URL:
$ acme reg -gen mailto:[email protected]
400 urn:acme:error:malformed: signature type 'RS256' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512
Looks like the key type changed to ED256 in 2a985c7.
Does the jws token header need to be updated to match?
If I create an rsa 4096 key manually, then reg works.
hi.
root@umh:# ./acme-linux-amd64 cert -s localhost:6060 mydomain.com#
mydomain.com: acme: identifier authorization failed
root@umh:
how to fix it?
thank you
Will there be support for ECDSA keys soon?
If you call acme cert without the -k option it will auto-generate a private certificate key for the user, but it is currently hard-coded to only use the ECDSA algorithm. While ECDSA is supposed to be superior algorithm, ECDSA certs are not compatible with a number client and server systems e.g. AWS API Gateway requires a 2048bit RSA key.
It would be great if the user could optionally specify the private key certificate algorithm and key size using a flag. That would make things simpler, safer and easier for users who don't have openssl installed.
We currently fetch only one level up when retrieving a cert. @kuba says we need to go more levels up into the chain.
The spec says
The server provides metadata about the certificate in HTTP headers. In particular, the server MUST include a Link relation header field RFC5988 with relation “up” to provide a certificate under which this certificate was issued
It's not entirely clear whether the up
response may also contain another relation level: the way it is at the moment seems to work.
Anyway, just wanted to create this issue for now, as a reminder to make sure we're doing it correctly.
That way we could skip url string
param in each call to the client. Maybe provide Endpoint
as additional parameter to acme client, maybe additional wrapper.
http.StatusAccepted
is now returned by Letsencrypt.
Currently it fetches only full Authz (GetAuthz
) - one need to filter if interested only in given challenge.
What's the recommended way of renewing an existing letsencrypt certificate using cmd/acme
?
Just running acme cert $domain
will re-issue a new .crt
.
Is there a way of handling this automatically? Like "renew, when existing .crt
will expire in n days"?
When using the command:
c:\Acme> acme reg -gen mailto:[email protected]"
it throws an error
account key: open C:\Users\myusername\.config\acme\account.key: The system cannot find the path specified.
when the .config directory does not exist.
This is on Windows 10, with the 1.1.1 binary.
Workaround: create directories manually.
Fix: automatically create directories .config and .config/acme if they dont' exist.
Now that golang.org/x/crypto/acme is public, there's absolutely no reason to keep the copy of the package here.
I've been using the acme client for several rounds of cert renewals, over the last 9 months, without any issues. I'm using HTTP challenge
Now I notice that I can no longer renew against the staging environment, but the production environment still works as usual.
The error I get, is
(MYDOMAIN): acme: identifier authorization failed
I still see the HTTP challenge in the web server logs, replied to with a 200 status, so that part is working still.
TOS acceptance is fine (checked with whoami, even updated once although it said "yes").
Can anybody reproduce that / sees the same issues? Maybe something changed in letsencrypt staging that the acme client needs to learn?
First time user here, with some notes on usability with "acme reg -gen mailto:[email protected]
first run fails with account key: open /home/me/.config/acme/account.key: no such file or directory
solution was to create directory .config/acme by hand
second run then prompted me to accept the ToS. I took some time to read it. When I came back and entered Y at the prompt I got this error: context deadline exceeded
a third run fails directly with message 409 urn:acme:error:malformed: Registration key is already in use
after deleting .config/acme/account.key by hand, a fourth run then worked...
Another nitpick on first playing with your program: once I got it to register, I immediately proceeded to register once more against the staging server, using acme reg -c .config/acme.staging -d letsencrypt-staging. That worked fine, and I can use acme whoami -c .config/acme.staging to look at the registration details.
Next, I tried acme cert -c .config/acme.staging -manual me.example.com (of course with my own domain). That got me an error: me.example.com: 403 urn:acme:error:unauthorized: No registration exists matching provided key
Not a big issue - I simply have to once more add the -d letsencrypt-staging option, and then it works fine!
However, seeing that the "staging" URI is known (with whoami, or looking at the config file) already when the -c option is given - shouldn't then -d default to that URI from the configuration, like it does with whoami?
func main() {
http.HandleFunc("/do", func(w http.ResponseWriter, r *http.Request) {
fmt.Println( "do")
})
err := http.ListenAndServeTLS(":9000", "key.pem", "cert.pem", nil)
if err != nil {
panic(err)
}
}
1# using browser open https://localhost:9000/do
2# browser remind "not safe connection:NET::ERR_CERT_AUTHORITY_INVALID"
3# how to handle this except importing the ca cert in client?
Where is the AppEngine module? seem to be missing.
Lukas Schauer's dehydrated has support for external dns tools to enable "ACME DNS challenge" for the many situations where http challenge is problematic. Generally it just runs a command with parameters specifying the FQDN and magic value that need to be setup as a TXT dns record and then a cleanup after letsencrypt is done verifying. It would be super-cool you used the same 'protocol' so that existing tools work out-of-the-box. See: https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.md
dehydrated works but since it is written in BASH is sensitive to many platform issues and has a lot of dependencies on various unix/linux tools.
Requesting a wildcard certificate seems to not be possible at the moment:
*.example.com: 400 urn:acme:error:malformed: Error creating new authz :: Wildcard names not supported
Requesting a wildcard certificate seems to not be possible at the moment:
$ acme cert *.example.com
*.example.com: 400 urn:acme:error:malformed: Error creating new authz :: Invalid character in DNS name
When the real web server serves as a proxy for the tool, redirecting the traffic for /.well-known/acme-challenge using unix sockets allows for more resilient/hardened setup. For example, one can use permissions or selected mounts to isolate tool's socket from the rest of the system. So it would be nice if -s option to the cert command allowed to specify a unix socket to listen.
While trying to run command " acme cert $domain name" , I am getting error as identifier authorization failed, i followed the steps there in README file, not sure how to trace the error back
if I am trying to register my id like mailto option , I am getting malformed: Registration key already in use error, which is mostly because i have already registered this mail-id , how can i unregister the id or this error is completely different in scope
This method is useful to implement DNS challenge (keyAuth).
How can acme be configured to use a different CA (other than LetsEncrypt) ??
I added another ACME-compatible CA to discoAliases, but no effect.
Is there a command line option I need to use?
How do you even point to "letsencrypt-staging" instead of "letsencrypt" ?
Any pointers appreciated.
root@ip-10-108-9-175:~# acme reg -gen mailto:[email protected]
account key: open /root/.config/acme/account.key: no such file or directory
root@ip-10-108-9-175:~# mkdir -p /root/.config/acme/
root@ip-10-108-9-175:~# acme reg -gen mailto:[email protected]
CA requires acceptance of their Terms and Services agreement:
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
Do you accept? (Y/n)
The suggested first step in the Readme doesn't mention that the config dir needs to be created. Maybe if this is missing it should prompt you and ask if the dir should be created automatically?
In order to avoid code like:
strings.Contains(err.Error(), "Registration key is already in use")
every error returned by the library should be predefined as var, see for example https://golang.org/pkg/net/http/#pkg-variables
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.