Only get certain challenge types issued about node-acme-client HOT 5 CLOSED

Hello,

This is, as you've noted, already implemented to a certain degree. If you are using auto-mode you specify a challenge type priority and a challenge is selected for you. If no challenge matches your priority list, any available challenge will be selected.

Let's Encrypt returns all available challenge types when requesting a certificate. Available types depend on the DNS name, for example a wildcard certificate needs to be authorized by a dns-01 challenge. You should enforce the challenge types in your challengeCreateFn(), for example:

async function challengeCreateFn(authz, challenge, keyAuthorization) {
    if (challenge.type === 'http-01') {
        // Do http-01 things
    }
    else if (challenge.type === 'dns-01') {
        // Do dns-01 things
    }
    else {
        throw new Error('Unsupported challenge type');
    }
}

await client.auto({
    challengePriority: ['http-01', 'dns-01'],
    challengeCreateFn
});

The unknown challenge type error you are seeing is caused by tls-alpn-01 not being implemented in acme-client yet, thanks for reporting it! Just pushed a fix 7409efb, will land with v2.2.2 today or tomorrow.

Please let me know if you have any further questions.

from node-acme-client.

Thanks for your reply.
The problem is, that i can only satisfy http-01 requests, since im writing an bot for automatic ssl cert renewal on gitlab instances(currently only gitlab.com). One way would be to filter the challenge type everytime it doesnt match http-01 and request a new one, but this would be extremly inefficient when you have a large list of domains.
Also i currently dont use automode because the bot verifys by itself, if the challenge is available and then calls your functions.

from node-acme-client.

Alright, I think I understand the issue.

When ordering a certificate all available challenges are returned from the API, so you can just select the one that fits your needs.

I'm going to use https://github.com/publishlab/node-acme-client/blob/master/examples/api.js#L76 as an example.

Instead of popping the last challenge off the array (line 76):

const challenge = authz.challenges.pop();

Try selecting the http-01 challenge type:

const challenge = authz.challenges.find(c => c.type === 'http-01');

if (!challenge) {
    throw new Error('No http-01 challenge available');
}

Hope this helps!

from node-acme-client.

Thanks that should solve my issue, will test it at the weekend. ^^
Maybe you should include this or a comment in https://github.com/publishlab/node-acme-client/blob/master/examples/api.js#L76 so other people can use this too!
(I logged authz.challenges and saw the different types of challenges, but thought that they were the different challenges for the different domains)

from node-acme-client.

Great, glad I could help!

If anyone should stumble across this issue with a similar question:

/**
 * authorizations / client.getAuthorizations(order);
 * An array with one item per DNS name in the certificate order.
 * All items require at least one satisfied challenge before order can be completed.
 */

const authorizations = await client.getAuthorizations(order);

authorizations.forEach((authz) => {
    /**
     * challenges / authz.challenges
     * An array of all available challenge types for a single DNS name.
     * One of these challenges needs to be satisfied.
     */

    const challenges = authz.challenges;
});

I'll note it down in the example/documentation as well.

from node-acme-client.