# Automatic Certificate Management Environment (ACME) ## Certificate Management - [ ] Registration - [ ] Account Recovery - [ ] Identifier Authorization - [ ] Certificate Issuance - [ ] Certificate Revocation ## Identifier Validation Challenges - [ ] HTTP - [ ] TLS with Server Name Indication (TLS SNI) - [ ] Proof of Possession of a Prior Key - [ ] DNS ## File structure /var/lib/acme accounts/ @mail/ (account ID) privkey provider certs/ example.com/ (cert ID) cert chain fullchain -> /etc/ssl/certs/examople_com.pem privkey -> /etc/ssl/private/example_com.key desired/ example.com: www.example.com example.com (text file) ## API Register(email string) -> Registration(Account, PrivKey, Noncer) LoadAccount(email string) -> --""-- Registration.Recover(?) Regsitration.Authorize(domain []string) -> ([]Challange, []Combination) Regsitration.Renew(domain []string) -> ([]Challange, []Combination) ## Flow get directory -> urls, first nonce marshal, sign, post -> nonce, response, next ## File structure (draft) file: account/\* another@example.com - private.key - provider - meta (ID) ? file: want/\* (yaml or toml) [domain.tld] - provider: letsencrypt/directory - account: another@example.com - domains: list of additonal domains (optional) file: certs/\* cert/domain.tld file: private/\* private/domain.tld file: tmp/\* tmp/domain.csr ? ## Use Flow Init: param(email) Create and register account if there is none Periodic: (batch) Check want files if Cert is missing, request it Walk through obtained certs and check for expire if Expire aproaches, renew cert Call hooks (reload webserver, etc.) Revoke: param(domain.tld) handled separate Restore: param(email) handled separate ## misc If domain contains www.domain.tdl prefix include domain.tdl automaticly. ## flow v2 account key: absent -> allocate key, register present -> do nothing certificate key: absent -> check account key allocate key, request certificate present -> check account key certificate: absent -> request certificate present -> check expire -> renew cert worker: register account request certificate renew certifivicate ## test tunnel slogin -R \*:80:localhost:8080 -N root@docker.moccu.com # Refactor ## Register Account - account key -> signer ## Authorize Domain - account key (signer) - altnames (desire) - params: webroot or solver listener address ## Certificate - account key (signer) - cert key (desire) - altnames (desire)