acme-client 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4f48de1046df3b5b987afb2b8c3175d022459efd
-  data.tar.gz: d138fca27e0b9b363fd84e85882fe8fa37d61c31
+SHA256:
+  metadata.gz: ccaa8fb7fadbae1a6d93f99ad319ca95261994cbec494ab885028aae2f894a6a
+  data.tar.gz: 224d05d0f66cb37ffcbcf1bf05f649e0278dc097518b927dcc4a2e635ba29357
 SHA512:
-  metadata.gz: ee22b724906361bcd48f668a47472c7d78dc624d88b375d94ea3efa96e359decf674387f17f935a2fcc2f5583f31735921f02addad3b996ef710d24b3e155415
-  data.tar.gz: 3886e12ad0d8478a1013bec98fd1e491e259fa39a4623d90d6be3416661d11c2338dbc9487f3284f0b71fb0dfbc848abe18dc392eede667218942c771555a286
+  metadata.gz: c461b3d255fc35d3b21411632ff4f26700fd0969547f8a7a93879c719e2383f58badfc0278bc45df4780b293094af3b2d560494ac3f00076dae23affbe697682
+  data.tar.gz: 477869ea08075d8e9d70afa80f4576f6a0ffb936bfb70244b0bf6f8d34d2da593d76acf6231d266fd920eeb0fbf4045e4605869c77f9b06377487cbb4902c014

data/.rubocop.yml

@@ -99,5 +99,41 @@ Style/BlockDelimiters:
 Style/Lambda:
   Enabled: false
 
+Style/GuardClause:
+  Enabled: false
+
+Style/Alias:
+  Enabled: false
+
+Lint/AmbiguousOperator:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/ClassLength:
+  Enabled: false
+
+Style/MutableConstant:
+  Enabled: false
+
+Style/GlobalVars:
+  Enabled: false
+
+Style/ExpandPathArguments:
+  Enabled: false
+
+Security/JSONLoad:
+  Enabled: false
+
 Naming/AccessorMethodName:
   Enabled: false

data/README.md

@@ -1,17 +1,15 @@
-# Deprecated
-
-This branch track the client for ACMEv1.
-
 # Acme::Client
 
 [![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
 
-`acme-client` is a client implementation of the [ACME](https://github.com/ietf-wg-acme/acme/) protocol in Ruby.
+`acme-client` is a client implementation of the [ACMEv2](https://github.com/ietf-wg-acme/acme) protocol in Ruby.
 
-You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/letsencrypt/letsencrypt) in Python.
+You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
 ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.
 
+You can find ACMEv1 compatible client in the [acme-v1](https://github.com/unixcharles/acme-client/tree/acme-v1) branch.
+
 ## Installation
 
 Via RubyGems:
@@ -25,143 +23,189 @@ gem 'acme-client'
 ```
 
 ## Usage
+* [Setting up a client](#setting-up-a-client)
+* [Account management](#account-management)
+* [Obtaining a certificate](#obtaining-a-certificate)
+  * [Ordering a certificate](#ordering-a-certificate)
+  * [Completing an HTTP challenge](#preparing-for-http-challenge)
+  * [Completing an DNS challenge](#preparing-for-dns-challenge)
+  * [Requesting a challenge verification](#requesting-a-challenge-verification)
+  * [Downloading a certificate](#downloading-a-certificate)
+* [Extra](#extra)
+  * [Certificate revokation](#certificate-revokation)
+  * [Certificate renewal](#certificate-renewal)
+
+## Setting up a client
+
+The client is initialized with a private key and the directory of your ACME provider.
+
+LetsEncrypt's `directory` is `https://acme-v02.api.letsencrypt.org/directory`.
+
+They also have a staging enpoind at `https://acme-staging-v02.api.letsencrypt.org/directory`.
 
-### Register client
+`acme-ruby` expects `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
 
-In order to authenticate our client, we have to create an account for it.
+You can generate one in Ruby using OpenSSL.
 
 ```ruby
-# We're going to need a private key.
 require 'openssl'
 private_key = OpenSSL::PKey::RSA.new(4096)
+```
+
+Or load one from a PEM file
+
+```ruby
+require 'openssl'
+OpenSSL::PKey::RSA.new(File.read('/path/to/private_key.pem'))
+```
 
-# We need an ACME server to talk to, see github.com/letsencrypt/boulder
-# WARNING: This endpoint is the production endpoint, which is rate limited and will produce valid certificates.
-# You should probably use the staging endpoint for all your experimentation:
-# endpoint = 'https://acme-staging.api.letsencrypt.org/'
-endpoint = 'https://acme-v01.api.letsencrypt.org/'
+See [RSA](https://ruby.github.io/openssl/OpenSSL/PKey/RSA.html) and [EC](https://ruby.github.io/openssl/OpenSSL/PKey/EC.html) for documentation.
 
-# Initialize the client
-require 'acme-client'
-client = Acme::Client.new(private_key: private_key, endpoint: endpoint, connection_options: { request: { open_timeout: 5, timeout: 5 } })
 
-# If the private key is not known to the server, we need to register it for the first time.
-registration = client.register(contact: 'mailto:contact@example.com')
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
+```
+
+If your account is already registered, you can save some API calls by passing your key ID directly. This will avoid an unnecessary API call to retrieve it from your private key.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory', kid: 'https://example.com/acme/acct/1')
+```
+
+## Account management
+
+Accounts are tied to a private key. Before being allowed to create orders, the account must be registered and the ToS accepted using the private key. The account will be assigned a key ID.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true)
+```
+
+After the registration you can retrieve the account  key indentifier (kid).
 
-# You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)
-registration.agree_terms
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true)
+account.kid # => <kid string>
 ```
 
-### Authorize for domain
+## Obtaining a certificate
+### Ordering a certificate
+
+To order a new certificate, the client must provide a list of identifiers.
+
+The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
+
+Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one the challenges.
 
-Before you are able to obtain certificates for your domain, you have to prove that you are in control of it.
+You can access the challenge you wish to complete using the `#dns` or `#http` method.
 
 ```ruby
-authorization = client.authorize(domain: 'example.org')
+order = client.new_order(identifiers: ['example.com'])
+authorization = order.authorizations.first
+challenge = authorization.http
+```
 
-# If authorization.status returns 'valid' here you can already get a certificate
-# and _must not_ try to solve another challenge.
-authorization.status # => 'pending'
+### Preparing for HTTP challenge
 
-# You can can store the authorization's URI to fully recover it and
-# any associated challenges via Acme::Client#fetch_authorization.
-authorization.uri # => '...'
+To complete the HTTP challenge, you must return a file using HTTP.
 
-# This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
-challenge = authorization.http01
+The path follows the following format:
 
-# The http-01 method will require you to respond to a HTTP request.
+> .well-known/acme-challenge/#{token}
 
-# You can retrieve the challenge token
-challenge.token # => "some_token"
+And the file content is the key authorization. The HTTP01 object has utility methods to generate them.
 
-# You can retrieve the expected path for the file.
-challenge.filename # => ".well-known/acme-challenge/:some_token"
+```ruby
+> http_challenge.content_type # => 'text/plain'
+> http_challenge.file_content # => example_token.TO1xJ0UDgfQ8WY5zT3txynup87UU3PhcDEIcuPyw4QU
+> http_challenge.filename # => '.well-known/acme-challenge/example_token'
+> http_challenge.token # => 'example_token'
+```
 
-# You can generate the body of the expected response.
-challenge.file_content # => 'string token and JWK thumbprint'
+For test purposes you can just save the challenge file and use Ruby to serve it:
 
-# You are not required to send a Content-Type. This method will return the right Content-Type should you decide to include one.
-challenge.content_type
+```bash
+ruby -run -e httpd public -p 8080 --bind-address 0.0.0.0
+```
+
+### Preparing for DNS challenge
 
-# Save the file. We'll create a public directory to serve it from, and inside it we'll create the challenge file.
-FileUtils.mkdir_p( File.join( 'public', File.dirname( challenge.filename ) ) )
+To complete the DNS challenge, you must set a DNS record to prove that you control the domain.
 
-# We'll write the content of the file
-File.write( File.join( 'public', challenge.filename), challenge.file_content )
+The DNS01 object has utility methods to generate them.
 
-# Optionally save the authorization URI for use at another time (eg: by a background job processor)
-File.write('authorization_uri', authorization.uri)
+```ruby
+dns_challenge.record_name # => '_acme-challenge'
+dns_challenge.record_type # => 'TXT'
+dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
 
-# The challenge file can be served with a Ruby webserver.
-# You can run a webserver in another console for that purpose. You may need to forward ports on your router.
-#
-# $ ruby -run -e httpd public -p 8080 --bind-address 0.0.0.0
+### Requesting a challenge verification
 
-# Load a challenge based on stored authorization URI. This is only required if you need to reuse a challenge as outlined above.
-challenge = client.fetch_authorization(File.read('authorization_uri')).http01
+Once you are ready to complete the challenge, you can request the server perform the verification.
 
-# Once you are ready to serve the confirmation request you can proceed.
-challenge.request_verification # => true
-challenge.authorization.verify_status # => 'pending'
+```ruby
+challenge.request_validation
+```
 
-# Wait a bit for the server to make the request, or just blink. It should be fast.
-sleep(1)
+The validation is performed asynchronously and can take some time to be performed by the server.
 
-# Rely on authorization.verify_status more than on challenge.verify_status,
-# if the former is 'valid' you can already issue a certificate and the status of
-# the challenge is not relevant and in fact may never change from pending.
-challenge.authorization.verify_status # => 'valid'
-challenge.error # => nil
+You can poll until its status change.
 
-# If authorization.verify_status is 'invalid', you can get at the error
-# message only through the failed challenge.
-authorization.verify_status # => 'invalid'
-authorization.http01.error # => {"type" => "...", "detail" => "..."}
+```ruby
+while challenge.status == 'pending'
+  sleep(2)
+  challenge.reload
+end
+challenge.status # => 'valid'
 ```
 
-### Obtain a certificate
+### Downloading a certificate
+
+Once all required authorizations have been validated through challenges, the order can be finalized using a CSR ([Certificate Signing Request](https://en.wikipedia.org/wiki/Certificate_signing_request)).
+
+A CSR can be slightly tricky to generate using OpenSSL from Ruby standard library. `acme-client` provide a utility class `CertificateRequest` to help with that.
 
-Now that your account is authorized for the domain, you should be able to obtain a certificate for it.
+Certificate generation happens asynchronously. You may need to poll.
 
 ```ruby
-# We're going to need a certificate signing request. If not explicitly
-# specified, the first name listed becomes the common name.
-csr = Acme::Client::CertificateRequest.new(names: %w[example.org www.example.org])
+csr = Acme::Client::CertificateRequest.new(private_key: private_key, subject: { common_name: 'example.com' })
+order.finalize(csr: csr)
+sleep(1) while order.status == 'processing'
+order.certificate # => PEM-formatted certificate
+```
+
+## Extra
 
-# We can now request a certificate. You can pass anything that returns
-# a valid DER encoded CSR when calling to_der on it. For example an
-# OpenSSL::X509::Request should work too.
-certificate = client.new_certificate(csr) # => #<Acme::Client::Certificate ....>
+### Certificate revokation
 
-# Save the certificate and the private key to files
-File.write("privkey.pem", certificate.request.private_key.to_pem)
-File.write("cert.pem", certificate.to_pem)
-File.write("chain.pem", certificate.chain_to_pem)
-File.write("fullchain.pem", certificate.fullchain_to_pem)
+To revoke a certificate you can call `#revoke` with the certificate.
 
-# Start a webserver, using your shiny new certificate
-# ruby -r openssl -r webrick -r 'webrick/https' -e "s = WEBrick::HTTPServer.new(
-#   :Port => 8443,
-#   :DocumentRoot => Dir.pwd,
-#   :SSLEnable => true,
-#   :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('privkey.pem') ),
-#   :SSLCertificate => OpenSSL::X509::Certificate.new( File.read('cert.pem') )); trap('INT') { s.shutdown }; s.start"
+```ruby
+client.revoke(certificate: certificate)
 ```
 
-# Not implemented
+### Certificate renewal
 
-- Recovery methods are not implemented.
+The is no renewal process, just create a new order.
 
-# Requirements
+
+## Not implemented
+
+- Account Key Roll-over.
+
+## Requirements
 
 Ruby >= 2.1
 
 ## Development
 
-All the tests use VCR to mock the interaction with the server but if you
-need to record new interaction against the server simply clone boulder and
-run it normally with `./start.py`.
+All the tests use VCR to mock the interaction with the server. If you need to record new interaction you can specify the directory URL with the `ACME_DIRECTORY_URL` environment variable.
+
+```
+ACME_DIRECTORY_URL=https://acme-staging-v02.api.letsencrypt.org/directory rspec
+```
 
 ## Pull request?
 

data/lib/acme/client.rb

@@ -12,7 +12,6 @@ module Acme; end
 class Acme::Client; end
 
 require 'acme/client/version'
-require 'acme/client/certificate'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
@@ -22,15 +21,14 @@ require 'acme/client/error'
 require 'acme/client/util'
 
 class Acme::Client
-  DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'.freeze
-  DIRECTORY_DEFAULT = {
-    'new-authz' => '/acme/new-authz',
-    'new-cert' => '/acme/new-cert',
-    'new-reg' => '/acme/new-reg',
-    'revoke-cert' => '/acme/revoke-cert'
-  }.freeze
-
-  def initialize(jwk: nil, private_key: nil, endpoint: DEFAULT_ENDPOINT, directory_uri: nil, connection_options: {})
+  DEFAULT_DIRECTORY = 'http://127.0.0.1:4000/directory'.freeze
+  repo_url = 'https://github.com/unixcharles/acme-client'
+  USER_AGENT = "Acme::Client v#{Acme::Client::VERSION} (#{repo_url})".freeze
+  CONTENT_TYPES = {
+    pem: 'application/pem-certificate-chain'
+  }
+
+  def initialize(jwk: nil, kid: nil, private_key: nil, directory: DEFAULT_DIRECTORY, connection_options: {})
     if jwk.nil? && private_key.nil?
       raise ArgumentError, 'must specify jwk or private_key'
     end
@@ -41,93 +39,255 @@ class Acme::Client
       Acme::Client::JWK.from_private_key(private_key)
     end
 
-    @endpoint, @directory_uri, @connection_options = endpoint, directory_uri, connection_options
+    @kid, @connection_options = kid, connection_options
+    @directory = Acme::Client::Resources::Directory.new(URI(directory), @connection_options)
     @nonces ||= []
-    load_directory!
   end
 
-  attr_reader :jwk, :nonces, :endpoint, :directory_uri, :operation_endpoints
+  attr_reader :jwk, :nonces
 
-  def register(contact:)
+  def new_account(contact:, terms_of_service_agreed: nil)
     payload = {
-      resource: 'new-reg', contact: Array(contact)
+      contact: Array(contact)
     }
 
-    response = connection.post(@operation_endpoints.fetch('new-reg'), payload)
-    ::Acme::Client::Resources::Registration.new(self, response)
+    if terms_of_service_agreed
+      payload[:termsOfServiceAgreed] = terms_of_service_agreed
+    end
+
+    response = post(endpoint_for(:new_account), payload: payload, mode: :jws)
+    @kid = response.headers.fetch(:location)
+
+    if response.body.nil? || response.body.empty?
+      account
+    else
+      arguments = attributes_from_account_response(response)
+      Acme::Client::Resources::Account.new(self, url: @kid, **arguments)
+    end
   end
 
-  def authorize(domain:)
-    payload = {
-      resource: 'new-authz',
-      identifier: {
-        type: 'dns',
-        value: domain
-      }
-    }
+  def account_update(contact: nil, terms_of_service_agreed: nil)
+    payload = {}
+    payload[:contact] = Array(contact) if contact
+    payload[:termsOfServiceAgreed] = terms_of_service_agreed if terms_of_service_agreed
 
-    response = connection.post(@operation_endpoints.fetch('new-authz'), payload)
-    ::Acme::Client::Resources::Authorization.new(self, response.headers['Location'], response)
+    response = post(kid, payload: payload)
+    arguments = attributes_from_account_response(response)
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
-  def fetch_authorization(uri)
-    response = connection.get(uri)
-    ::Acme::Client::Resources::Authorization.new(self, uri, response)
+  def account_deactivate
+    response = post(kid, payload: { status: 'deactivated' })
+    arguments = attributes_from_account_response(response)
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
-  def new_certificate(csr)
-    payload = {
-      resource: 'new-cert',
-      csr: Base64.urlsafe_encode64(csr.to_der)
-    }
+  def account
+    @kid ||= begin
+      response = post(endpoint_for(:new_account), payload: { onlyReturnExisting: true }, mode: :jwk)
+      response.headers.fetch(:location)
+    end
 
-    response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
-    ::Acme::Client::Certificate.new(OpenSSL::X509::Certificate.new(response.body), response.headers['location'], fetch_chain(response), csr)
+    response = post(@kid)
+    arguments = attributes_from_account_response(response)
+    Acme::Client::Resources::Account.new(self, url: @kid, **arguments)
   end
 
-  def revoke_certificate(certificate)
-    payload = { resource: 'revoke-cert', certificate: Base64.urlsafe_encode64(certificate.to_der) }
-    endpoint = @operation_endpoints.fetch('revoke-cert')
-    response = connection.post(endpoint, payload)
-    response.success?
+  def kid
+    @kid ||= account.kid
   end
 
-  def self.revoke_certificate(certificate, *arguments)
-    client = new(*arguments)
-    client.revoke_certificate(certificate)
+  def new_order(identifiers:, not_before: nil, not_after: nil)
+    payload = {}
+    payload['identifiers'] = if identifiers.is_a?(Hash)
+      identifiers
+    else
+      Array(identifiers).map do |identifier|
+        { type: 'dns', value: identifier }
+      end
+    end
+    payload['notBefore'] = not_before if not_before
+    payload['notAfter'] = not_after if not_after
+
+    response = post(endpoint_for(:new_order), payload: payload)
+    arguments = attributes_from_order_response(response)
+    Acme::Client::Resources::Order.new(self, **arguments)
   end
 
-  def connection
-    @connection ||= Faraday.new(@endpoint, **@connection_options) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: self
-      configuration.adapter Faraday.default_adapter
+  def order(url:)
+    response = get(url)
+    arguments = attributes_from_order_response(response)
+    Acme::Client::Resources::Order.new(self, **arguments.merge(url: url))
+  end
+
+  def finalize(url:, csr:)
+    unless csr.respond_to?(:to_der)
+      raise ArgumentError, 'csr must respond to `#to_der`'
+    end
+
+    base64_der_csr = Acme::Client::Util.urlsafe_base64(csr.to_der)
+    response = post(url, payload: { csr: base64_der_csr })
+    arguments = attributes_from_order_response(response)
+    Acme::Client::Resources::Order.new(self, **arguments)
+  end
+
+  def certificate(url:)
+    response = download(url, format: :pem)
+    response.body
+  end
+
+  def authorization(url:)
+    response = get(url)
+    arguments = attributes_from_authorization_response(response)
+    Acme::Client::Resources::Authorization.new(self, url: url, **arguments)
+  end
+
+  def deactivate_authorization(url:)
+    response = post(url, payload: { status: 'deactivated' })
+    arguments = attributes_from_authorization_response(response)
+    Acme::Client::Resources::Authorization.new(self, url: url, **arguments)
+  end
+
+  def challenge(url:)
+    response = get(url)
+    arguments = attributes_from_challenge_response(response)
+    Acme::Client::Resources::Challenges.new(self, **arguments)
+  end
+
+  def request_challenge_validation(url:, key_authorization:)
+    response = post(url, payload: { keyAuthorization: key_authorization })
+    arguments = attributes_from_challenge_response(response)
+    Acme::Client::Resources::Challenges.new(self, **arguments)
+  end
+
+  def revoke(certificate:, reason: nil)
+    der_certificate = if certificate.respond_to?(:to_der)
+      certificate.to_der
+    else
+      OpenSSL::X509::Certificate.new(certificate).to_der
     end
+
+    base64_der_certificate = Acme::Client::Util.urlsafe_base64(der_certificate)
+    payload = { certificate: base64_der_certificate }
+    payload[:reason] = reason unless reason.nil?
+
+    response = post(endpoint_for(:revoke_certificate), payload: payload)
+    response.success?
+  end
+
+  def get_nonce
+    response = Faraday.head(endpoint_for(:new_nonce), nil, 'User-Agent' => USER_AGENT)
+    nonces << response.headers['replay-nonce']
+    true
+  end
+
+  def meta
+    @directory.meta
+  end
+
+  def terms_of_service
+    @directory.terms_of_service
+  end
+
+  def website
+    @directory.website
+  end
+
+  def caa_identities
+    @directory.caa_identities
+  end
+
+  def external_account_required
+    @directory.external_account_required
   end
 
   private
 
+  def attributes_from_account_response(response)
+    extract_attributes(
+      response.body,
+      :status,
+      [:term_of_service, 'termsOfServiceAgreed'],
+      :contact
+    )
+  end
+
+  def attributes_from_order_response(response)
+    attributes = extract_attributes(
+      response.body,
+      :status,
+      :expires,
+      [:finalize_url, 'finalize'],
+      [:authorization_urls, 'authorizations'],
+      [:certificate_url, 'certificate'],
+      :identifiers
+    )
+
+    attributes[:url] = response.headers[:location] if response.headers[:location]
+    attributes
+  end
+
+  def attributes_from_authorization_response(response)
+    extract_attributes(response.body, :identifier, :status, :expires, :challenges, :wildcard)
+  end
+
+  def attributes_from_challenge_response(response)
+    extract_attributes(response.body, :status, :url, :token, :type, :error)
+  end
+
+  def extract_attributes(input, *attributes)
+    attributes
+      .map {|fields| Array(fields) }
+      .each_with_object({}) { |(key, field), hash|
+      field ||= key.to_s
+      hash[key] = input[field]
+    }
+  end
+
+  def post(url, payload: {}, mode: :kid)
+    connection = connection_for(url: url, mode: mode)
+    connection.post(url, payload)
+  end
+
+  def get(url, mode: :kid)
+    connection = connection_for(url: url, mode: mode)
+    connection.get(url)
+  end
+
+  def download(url, format:)
+    connection = connection_for(url: url, mode: :download)
+    connection.get do |request|
+      request.url(url)
+      request.headers['Accept'] = CONTENT_TYPES.fetch(format)
+    end
+  end
+
+  def connection_for(url:, mode:)
+    uri = URI(url)
+    endpoint = "#{uri.scheme}://#{uri.hostname}:#{uri.port}"
+    @connections ||= {}
+    @connections[mode] ||= {}
+    @connections[mode][endpoint] ||= new_connection(endpoint: endpoint, mode: mode)
+  end
+
+  def new_connection(endpoint:, mode:)
+    Faraday.new(endpoint, **@connection_options) do |configuration|
+      configuration.use Acme::Client::FaradayMiddleware, client: self, mode: mode
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
   def fetch_chain(response, limit = 10)
     links = response.headers['link']
     if limit.zero? || links.nil? || links['up'].nil?
       []
     else
-      issuer = connection.get(links['up'])
+      issuer = get(links['up'])
       [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
     end
   end
 
-  def load_directory!
-    @operation_endpoints = if @directory_uri
-      response = connection.get(@directory_uri)
-      body = response.body
-      {
-        'new-reg' => body.fetch('new-reg'),
-        'new-authz' => body.fetch('new-authz'),
-        'new-cert' => body.fetch('new-cert'),
-        'revoke-cert' => body.fetch('revoke-cert')
-      }
-    else
-      DIRECTORY_DEFAULT
-    end
+  def endpoint_for(key)
+    @directory.endpoint_for(key)
   end
 end