Comments (8)
Update on this:
- According to the spec, /new-cert should return the new certificate in its body, in addition to a Location header pointing to the canonical URL for the new certificate. The identifying part of the canonical URL is not specified: an obvious choice would be serial number.
- We probably want to modify the spec so the client requests a new cert and then polls until it's ready. This allows us to deal with a few things:
- Ensuring the first OCSP "valid" response is signed and push to the origin server for OCSP responses.
- It's possible the CA may lag behind during times of heavy load, and we might have to wait a moderate amount of time for the certificate to be generated.
- The longer we hold a request open the more likely it is to get reset by random network issues. We should, relatedly, figure out what the client should do if it makes a certificate request but gets a network failure before seeing a response.
from boulder.
For now I think it's fine to proceed with coding the client to expect a certificate directly in the body of the /new-cert response. @jdkasten
from boulder.
Thanks, @jsha! cc @kuba @garrettr
On Wed, Apr 1, 2015 at 4:45 PM, jsha [email protected] wrote:
For now I think it's fine to proceed with coding the client to expect a
certificate directly in the body of the /new-cert response. @jdkasten
https://github.com/jdkasten—
Reply to this email directly or view it on GitHub
#72 (comment).
from boulder.
Actually I'm not sure how I missed it but it looks like the current code does provide the Location header pointing to the new cert. Was this not showing up in your tests?
from boulder.
All of my info is probably outdated at this point. I have been trying to work on other aspects of the project. I stopped working on trying to get integration when the deadline was moved (local testing mode was still hardcoded). At the time I didn't write any reoccuring tests against Boulder because my solution was a hack (deadline) and it also requires authorization which was difficult to come by. @kuba or @GarettR probably know the most right now regarding protocol violations. @kuba wrote networking code and an example script to test the server here restified.py It just doesn't achieve authorization as that requires full client integration. I know he listed current problems with Boulder/spec as TODOs in the network2 code that I can forward to you if it would help.
from boulder.
Here is @kuba's restified networking code. It references Boulder throughout... but it hasn't been integrated into mainline client yet.
https://github.com/letsencrypt/lets-encrypt-preview/blob/master/letsencrypt/client/network2.py
from boulder.
network2
actually expects POST /new-cert
to return DER-encoded certificate in the HTTP response body and Location
header set to the Certificate Resource URI (and optionally "up" Link
header poiting at chain certificate URL). It wasn't easy to derive that this is the intended behavior, but I believe it follows logically from the spec.
from boulder.
Working as intended.
from boulder.
Related Issues (20)
- TestAkamaiPurgerDrainQueueSucceeds data race
- Upgrade to go-jose v4
- Publish website documentation concerning profiles, link in user facing errors
- admin <subcommand> -help should work without -config
- Prototype psql backend
- Include sha256sums of the release artifacts
- ARI stats for draft-03 replacements
- Design and implement a system for automatically rejecting requests from doomed clients
- Design Document
- Remove orderModelv1 from the SA package
- CA: Remove deprecated Issuance.Profiles field
- Add test for CRLs with no entries
- Add CI action to prompt CP/CPS review upon feature flag introduction
- Track chosen certificate profile in RA audit log and metric HOT 1
- PSL update
- Run pkilint in integration tests
- sa: investigate removing requestedNames table HOT 1
- Consider removing Subject Key Identifier from end-entity certificates
- Azure Rate Limit Exclusion question HOT 2
- go1.22: Remove loop variable lexical rebindings after a future gopls update
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boulder.