# Automatic Certificate Management Environment (ACME) ## Certificate Management - [ ] Registration - [ ] Account Recovery - [ ] Identifier Authorization - [ ] Certificate Issuance - [ ] Certificate Revocation ## Identifier Validation Challenges - [ ] HTTP - [ ] TLS with Server Name Indication (TLS SNI) - [ ] Proof of Possession of a Prior Key - [ ] DNS ## API Register(email string) -> Registration(Account, PrivKey, Noncer) LoadAccount(email string) -> --""-- Registration.Recover(?) Regsitration.Authorize(domain []string) -> ([]Challange, []Combination) Regsitration.Renew(domain []string) -> ([]Challange, []Combination) ## Flow get directory -> urls, first nonce marshal, sign, post -> nonce, response, next ## Use Flow Init: param(email) Create and register account if there is none Periodic: (batch) Check want files if Cert is missing, request it Walk through obtained certs and check for expire if Expire aproaches, renew cert Call hooks (reload webserver, etc.) Revoke: param(domain.tld) handled separate Restore: param(email) handled separate ## misc If domain contains www.domain.tdl prefix include domain.tdl automaticly. ## flow v2 account key: absent -> allocate key, register present -> do nothing certificate key: absent -> check account key allocate key, request certificate present -> check account key certificate: absent -> request certificate present -> check expire -> renew cert worker: register account request certificate renew certifivicate ## test tunnel slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com # Refactor ## Register Account - account key -> signer ## Authorize Domain - account key (signer) - altnames (desire) - params: webroot or solver listener address ## Certificate - account key (signer) - cert key (desire) - altnames (desire) # redesign - provider -> nonce - account -> signer - desire -> map[domain]signer # alternative implementations - github.com/xenolf/lego - github.com/ericchiang/letsencrypt - github.com/hlandau/acme # Outbound outbound1.letsencrypt.org outbound2.letsencrypt.org ### --- 1. no key, no cert - generate key, register - request new cert 2. key present, no cert - request new cert 3. key present, cert present - do nothing 4. key present, cert exires/expired - request new cert