1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
# Automatic Certificate Management Environment (ACME)
## Certificate Management
- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation
## Identifier Validation Challenges
- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS
## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)
## Flow
get directory -> urls, first nonce
marshal, sign, post -> nonce, response, next
## Use Flow
Init: param(email)
Create and register account if there is none
Periodic: (batch)
Check want files
if Cert is missing, request it
Walk through obtained certs and check for expire
if Expire aproaches, renew cert
Call hooks (reload webserver, etc.)
Revoke: param(domain.tld)
handled separate
Restore: param(email)
handled separate
## misc
If domain contains www.domain.tdl prefix include domain.tdl automaticly.
## flow v2
account key:
absent -> allocate key, register
present -> do nothing
certificate key:
absent ->
check account key
allocate key, request certificate
present ->
check account key
certificate:
absent -> request certificate
present ->
check expire -> renew cert
worker:
register account
request certificate
renew certifivicate
## test tunnel
slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com
# Refactor
## Register Account
- account key -> signer
## Authorize Domain
- account key (signer)
- altnames (desire)
- params: webroot or solver listener address
## Certificate
- account key (signer)
- cert key (desire)
- altnames (desire)
# redesign
- provider -> nonce
- account -> signer
- desire -> map[domain]signer
# alternative implementations
- github.com/xenolf/lego
- github.com/ericchiang/letsencrypt
- github.com/hlandau/acme
# Outbound
outbound1.letsencrypt.org
outbound2.letsencrypt.org
### ---
1. no key, no cert
- generate key, register
- request new cert
2. key present, no cert
- request new cert
3. key present, cert present
- do nothing
4. key present, cert exires/expired
- request new cert
# Rethink (configless setup)
- pro: emails are stored in cert itself
- contra: cannot use same key for cert and account
- possible solution: separate key info@example.com.key with info@example.com stored in cert
## renew (batch mode)
- param: gracetime (default 1 week), basedir (default /etc/ssl/ or ~/.acme/)
- look for file pairs in {basedir}/private/{filename}.key and {basedir}/certs/{filename}.pem
- if found extract NotAfter, DNSNames, EmailAddress
- if issuer is LE and if NotAfter reaches GraceTime use key, DNSNames and email to renew certificate
- backup old cert as {filename}.pem.old and save new cert in {basename}/certs/{filename}.pem
## new (manual mode)
- params: basedir, email, domain
- generate key
- register key and email(s)
- generate csr
- request cert with altnames (domain) and email(s)
- store {basedir}/private/{altname[0]}.key and {basedir}/certs/{altname[0]}.pem
|