aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: 263761f207036ade223f7fa491052269a1fc8b04 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Automatic Certificate Management Environment (ACME)

## Certificate Management

- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation

## Identifier Validation Challenges

- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS

## File structure

/var/lib/acme
	accounts/
		@mail/		(account ID)
			privkey
			provider
	certs/
		example.com/	(cert ID)
			cert
			chain
			fullchain	-> /etc/ssl/certs/examople_com.pem
			privkey		-> /etc/ssl/private/example_com.key
	desired/
		example.com:	www.example.com example.com (text file)

## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)

## Flow

get directory -> urls, first nonce

marshal, sign, post -> nonce, response, next

## File structure (draft)

file: account/\*
	another@example.com
	- private.key
	- provider
	- meta (ID) ?

file: want/\* (yaml or toml)
	[domain.tld]
	- provider: letsencrypt/directory
	- account: another@example.com
	- domains: list of additonal domains (optional)

file: certs/\*
	cert/domain.tld
file: private/\*
	private/domain.tld
file: tmp/\*
	tmp/domain.csr ?

## Use Flow

Init: param(email)
	Create and register account if there is none

Periodic: (batch)
	Check want files
		if Cert is missing, request it
	Walk through obtained certs and check for expire
		if Expire aproaches, renew cert
	Call hooks (reload webserver, etc.)

Revoke: param(domain.tld)
	handled separate

Restore: param(email)
	handled separate

## misc

If domain contains www.domain.tdl prefix include domain.tdl automaticly.

## flow v2

account key:
	absent -> allocate key, register
	present -> do nothing

certificate key:
	absent ->
		check account key
		allocate key, request certificate
	present ->
		check account key
		certificate:
			absent -> request certificate
			present ->
				check expire -> renew cert

worker:
	register account
	request certificate
	renew certifivicate

## test tunnel
slogin -R \*:80:localhost:8080 -N root@docker.moccu.com



# Refactor

## Register Account
- account key -> signer

## Authorize Domain
- account key (signer)
- altnames (desire)
- params: webroot or solver listener address

## Certificate
- account key (signer)
- cert key (desire)
- altnames (desire)