1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
# Automatic Certificate Management Environment (ACME)
## Certificate Management
- [ ] Registration
- [ ] Account Recovery
- [ ] Identifier Authorization
- [ ] Certificate Issuance
- [ ] Certificate Revocation
## Identifier Validation Challenges
- [ ] HTTP
- [ ] TLS with Server Name Indication (TLS SNI)
- [ ] Proof of Possession of a Prior Key
- [ ] DNS
## API
Register(email string) -> Registration(Account, PrivKey, Noncer)
LoadAccount(email string) -> --""--
Registration.Recover(?)
Regsitration.Authorize(domain []string) -> ([]Challange, []Combination)
Regsitration.Renew(domain []string) -> ([]Challange, []Combination)
## Flow
get directory -> urls, first nonce
marshal, sign, post -> nonce, response, next
## Use Flow
Init: param(email)
Create and register account if there is none
Periodic: (batch)
Check want files
if Cert is missing, request it
Walk through obtained certs and check for expire
if Expire aproaches, renew cert
Call hooks (reload webserver, etc.)
Revoke: param(domain.tld)
handled separate
Restore: param(email)
handled separate
## misc
If domain contains www.domain.tdl prefix include domain.tdl automaticly.
## flow v2
account key:
absent -> allocate key, register
present -> do nothing
certificate key:
absent ->
check account key
allocate key, request certificate
present ->
check account key
certificate:
absent -> request certificate
present ->
check expire -> renew cert
worker:
register account
request certificate
renew certifivicate
## test tunnel
slogin -R \*:80:localhost:8080 -R \*:443:localhost:8443 root@docker.moccu.com
# Refactor
## Register Account
- account key -> signer
## Authorize Domain
- account key (signer)
- altnames (desire)
- params: webroot or solver listener address
## Certificate
- account key (signer)
- cert key (desire)
- altnames (desire)
# redesign
- provider -> nonce
- account -> signer
- desire -> map[domain]signer
# alternative implementations
- github.com/xenolf/lego
- github.com/ericchiang/letsencrypt
- github.com/hlandau/acme
# Outbound
outbound1.letsencrypt.org
outbound2.letsencrypt.org
|