aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: f6df939b1de2e8b79dd9d0eec48addeb4b009e7b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Automatic Certificate Management Environment (ACME)

## Certificate Management

- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation

## Identifier Validation Challenges

- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS

## File structure

/var/lib/acme
	accounts/
		@mail/		(account ID)
			privkey
			provider
	certs/
		example.com/	(cert ID)
			cert
			chain
			fullchain	-> /etc/ssl/certs/examople_com.pem
			privkey		-> /etc/ssl/private/example_com.key
	desired/
		example.com:	www.example.com example.com (text file)

## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)

## Flow

get directory -> urls, first nonce

marshal, sign, post -> nonce, response, next

## File structure (draft)

file: account/\*
	another@example.com
	- private.key
	- provider
	- meta (ID) ?

file: want/\* (yaml or toml)
	[domain.tld]
	- provider: letsencrypt/directory
	- account: another@example.com
	- domains: list of additonal domains (optional)

file: certs/\*
	cert/domain.tld
file: private/\*
	private/domain.tld
file: tmp/\*
	tmp/domain.csr ?

## Use Flow

Init: param(email)
	Create and register account if there is none

Periodic: (batch)
	Check want files
		if Cert is missing, request it
	Walk through obtained certs and check for expire
		if Expire aproaches, renew cert
	Call hooks (reload webserver, etc.)

Revoke: param(domain.tld)
	handled separate

Restore: param(email)
	handled separate

## misc

If domain contains www.domain.tdl prefix include domain.tdl automaticly.

## flow v2

account key:
	absent -> allocate key, register
	present -> do nothing

certificate key:
	absent ->
		check account key
		allocate key, request certificate
	present ->
		check account key
		certificate:
			absent -> request certificate
			present ->
				check expire -> renew cert

worker:
	register account
	request certificate
	renew certifivicate