aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: d1d8c14e3ad5a568478e11b66d655e702fd1fbfd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Automatic Certificate Management Environment (ACME)

## Certificate Management

- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation

## Identifier Validation Challenges

- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS

## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)

## Flow

get directory -> urls, first nonce

marshal, sign, post -> nonce, response, next

## Use Flow

Init: param(email)
	Create and register account if there is none

Periodic: (batch)
	Check want files
		if Cert is missing, request it
	Walk through obtained certs and check for expire
		if Expire aproaches, renew cert
	Call hooks (reload webserver, etc.)

Revoke: param(domain.tld)
	handled separate

Restore: param(email)
	handled separate

## misc

If domain contains www.domain.tdl prefix include domain.tdl automaticly.

## flow v2

account key:
	absent -> allocate key, register
	present -> do nothing

certificate key:
	absent ->
		check account key
		allocate key, request certificate
	present ->
		check account key
		certificate:
			absent -> request certificate
			present ->
				check expire -> renew cert

worker:
	register account
	request certificate
	renew certifivicate

## test tunnel
slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com



# Refactor

## Register Account
- account key -> signer

## Authorize Domain
- account key (signer)
- altnames (desire)
- params: webroot or solver listener address

## Certificate
- account key (signer)
- cert key (desire)
- altnames (desire)

# redesign

- provider -> nonce
- account -> signer
- desire -> map[domain]signer

# alternative implementations

- github.com/xenolf/lego
- github.com/ericchiang/letsencrypt
- github.com/hlandau/acme

# Outbound
outbound1.letsencrypt.org
outbound2.letsencrypt.org