Implement ACMEv2, since ACMEv1 is now EOL 😱 #151
Comments
|
Is txacme still active? I have PR #140 open for some time without much feedback. I am using txacme and will work at implementing v2 support |
|
But before going to ACMEv2 I would like to have the API with support for SAN Right now, I am using a forked txame version and I need SAN |
|
@adiroiban SAN support is important, but ACME v2 seems more pressing due to the fact that txacme will stop working entirely if we don’t get to it in time :). |
|
I understand. But before being able to work on ACME v2 and write tests for txacme I need to get familiar with the txacme testing tools. This is why I start working on #140 and was planning to do #37 . After that I can look into ACME v2 support. SAN support should be a quick fix...and I am already using it in production for my project. |
|
@adiroiban I appreciate any work you can do on anything related to txacme, of course. I just hope somebody picks up ACMEv2 soon. |
|
I understand that ACME v2 is critical. But before being able to work on ACME v2 and write tests for txacme v2 I need to get familiar with the txacme testing tools... testing-cabal/testtools needs extra effort to learn This is why I start working on #140 and was planning to do #37 . After that I can look into ACME v2 support. SAN support should be a quick fix...and I am already using it in production for my project. |
|
I have start working on the ACME 2. So far is a proof of concept ... as I still don't understand the eltot loging and all the callback chains. Once I get a basic example up and running I will also update the tests https://github.com/twisted/txacme/tree/151-acme-v2 There will be an API break for the low level ACME client... but I think that ACME service can continue to work as it is. |
|
I have implemented the v2 protocol based on a local pebble server. I have not yet updated the AcmeIssuingService to use the new implementation In the 151-acme-v2 there is an example script that I used for manual testing https://github.com/twisted/txacme/compare/151-acme-v2 The API is changed as v2 has a different process and objects. Will continue to work on the ACME service part with support for SAN |
|
Amazing! 🙂 Any idea of when this implementation will be usable in the mainline |
|
I don't know... using eliot and testtools.matchers and not using defer.inlineCallbacks is still a pain for me ... so I don't know when the PR can be merged. In order to get things done, at least from now, I have removed some eliot logging and no automated tests were written... only the example script which can server as a manual happy path test. I hope to get AcmeIssuingService in the next week |
|
I have implemented the Service part of txacme . as far as I can tell, there was no API change for the txacme.service.AcmeIssuingService Please give it a try from the in work branch and let me know if anything is broke. The low level txacme.client.Client API was changed The current implementation also support SAN via CSV names. |
|
I think that for the initial release of ACME v2 we should remove the endpoint support. The endpoint support for ACME v2 can be added later. The current ACME v2 branch is already huge. |
|
What is still required to get this to a usable state? I'm going to see if I can put together a minimal example using it and a private_key in from certbot. I can also give the patched client.py a once-over and open a PR with just it, as that would restore at least basic functionality here. |
|
@perkinslr I think "it takes 2 to tango" Can you try the version from here? The thing that since there wasn't much public interest into txacme, I kept using my fork and private test - a dump is here https://gist.github.com/adiroiban/b895a62b4d28197dfdc8b803aa23ab0c it needs some feedback in terms of API, to make sure the API can be use in multiple scenarios. but if you are happy to try a pre-release I am happy to continue working on this. |
|
Doesn't look like you've made any further changes to As for the lack of public interest, I think that's a matter of messaging. I actually got about 1/4 of the way through RFC8555 to start working on it because I failed to find this before stumbling upon it. Probably because I was looking for twisted-certbot rather than twisted-acme integration. Not sure how to get this to show in searches for "twisted certbot", probably mention it's "an alternative to certbot" somewhere in the readme, but that can be addressed once it's functional. |
|
Hm, the imports in |
|
ok. let me put all the code and tests that I have in the current PR. We can discuss based on the exact code... the PR will be a monster, but as long as the tests are green and have some sort of coverage, I think that we should merge the PR. Then we can create separate PR to do various other changes or bugfixes. I have also canibalized the existing project as I have removed versioneeer as I remember that it was not playing nice with private pypi mirrors...and I had to build from source for AIX and Alpine Linux... but maybe versioneer works with those cases and is just that I don't know how to use it. And eliot usage and hyphotesis usage ...and I didn't know how to use them TDD and they were just stading in my way. |
|
You're still using eliot inside |
|
The dns01 challenge appears to possibly be broken, as I can't figure out from the provided parameters what value should be set in the txt record. |
|
Yup. The call to |
|
I have only implemented HTTP-01 for v2. |
|
Really? Because I have DNS01 working. The challenge type is different, and the way to get the verification string is slightly different, but otherwise it's quite simple. (The current API just requires the dev to keep a handle to the client secret key in order to generate the string inside the |
|
I have never tried DNS-01 with my v2 branch. From you comment, I am not sure if the existing |
|
I created my own DNS responder, since I need to reach out to my DNS provider to change the TXT record via their API. Don't see any reference to LibcloundDNSResponder, since I'm not using anything from your branch except the client.py. |
|
@perkinslr ok. The AcmeIssuingService is nice. You just set it up and it will take care of long term renewal. If you have time, it would be nice to take a look at the AcmeIssuingService API and see what it's missing from making it usable for you test case. see the code on the new #161 ... that is the code that I am trying to merge |
|
Fundamentally, the problem with So far, I have implemented a simple periodic certificate check that goes through the list of The whole implementation, including challenge responders, weighs in at 200 loc. Were I to use From looking at |
|
I have merged the code. I will have to look into updating the tests for AcmeIssuingService and do a release. And also check the docs. The endpoint is no longer supported at SNI-01 is no longer supported |
txacme.client.ServerError: (Error(typ=u'urn:acme:error:unauthorized', detail=u'Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.', title=None), <treq.response._Response 403 'application/problem+json' 280 bytes>)The text was updated successfully, but these errors were encountered: