acme-client 2.0.22 → 2.0.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4c163dbc54a7e15b4e33aadbc892e9f9cca5fb4d2332873e9f0a4ca4b46d144
-  data.tar.gz: 7fedb1bf7034c1a52a5f05169782e31b31749ecd6d8beb1a22da60ed44d49731
+  metadata.gz: f24f8baac91c1bff36891f14b0ec6d1fb3a9265cf771f2ae943b49dac5a96d2e
+  data.tar.gz: 4f84da04feeea6ae55ab875ab835194bf71182e8cabf7d56e574d79d80e988ae
 SHA512:
-  metadata.gz: b1431a5b7890db3433aded0eaa9bccbdd14b60d9d95da840ee8d42e18c4f304e57b78431fa1313a77b06cb7e3e114dcba59471d48b8a1b3e099cc06eb4728df1
-  data.tar.gz: c2e0b53200d61ae3d38ea75b656dc92de9751ad32a6a86a3346cd8ac843fccab097c70dd5e1d6870597510c33b6cdfde866de6e31f919d96fc23c91edc83384c
+  metadata.gz: 1e4a73d22af2fec3e323859f5386308c046c32b443952f81c9ce1811562eae0ec92c0a3bd683c0806bd85ca605bda5468bdf7534b224b94a65a7fe1b1222cce4
+  data.tar.gz: 84722131dd304475f45459ff78b4a0eda6ccf1a6d0aa2ffbdb2092cb17446ffc62db288ba429ee6a2080779dde273487718cddf27cc7d07b1850210401222b63

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## `2.0.26`
+
+* Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)
+
+## `2.0.25`
+
+* Add support for profiles extension
+
+## `2.0.24`
+
+* Add support for account orders url attribute.
+
+## `2.0.23`
+
+* Allow Order to be create without url. Location is not always required in the specification. 
+
 ## `2.0.22`
 
 * Loosen base64 dependency constraint

data/README.md

@@ -120,9 +120,11 @@ To order a new certificate, the client must provide a list of identifiers.
 
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
 
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
+Each authorization contains multiple challenges, typically a `dns-01`, `dns-account-01`, and a `http-01` challenge. The applicant is only required to complete one of the challenges.
 
-You can access the challenge you wish to complete using the `#dns` or `#http` method.
+The `dns-account-01` challenge prepends an account-specific label before `_acme-challenge`, producing a record name of the form `_<label>._acme-challenge` so different clients can validate the same domain concurrently.
+
+You can access the challenge you wish to complete using the `#dns`, `#dns_account`, or `#http` methods.
 
 ```ruby
 order = client.new_order(identifiers: ['example.com'])
@@ -165,6 +167,25 @@ dns_challenge.record_type # => 'TXT'
 dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
 ```
 
+### Preparing for DNS-Account-01 challenge
+
+To complete the DNS-Account-01 challenge, you must set a DNS TXT record using an account-specific name. This allows multiple ACME clients to validate the same domain concurrently without conflicts.
+
+The DNSAccount01 object has utility methods to generate the required DNS record:
+
+```ruby
+dns_account_challenge = authorization.dns_account
+
+dns_account_challenge.record_name    # => '_ujmmovf2vn55tgye._acme-challenge'
+dns_account_challenge.record_type    # => 'TXT'
+dns_account_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
+
+The record name includes an account-specific label derived from your account URL, ensuring different clients can validate simultaneously:
+
+- **DNS-01**: `_acme-challenge.example.com` (shared)
+- **DNS-Account-01**: `_ujmmovf2vn55tgye._acme-challenge.example.com` (account-specific)
+
 ### Requesting a challenge verification
 
 Once you are ready to complete the challenge, you can request the server perform the verification.
@@ -244,6 +265,22 @@ new_private_key = OpenSSL::PKey::RSA.new(4096)
 client.account_key_change(new_private_key: new_private_key)
 ```
 
+### Profile Extension
+
+Provide a CA profile when creating a new order:
+
+```ruby
+order = client.new_order(identifiers: ['example.com'], profile: 'shortlived')
+```
+
+ACME servers may list supported profiles in the directory endpoint:
+
+```ruby
+client.profiles => {"classic": "https://example.com/docs/classic", "shortlived": "https://example.com/docs/shortlived"}
+```
+
+See the [RFC draft of certificate profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/) for more info.
+
 ## Requirements
 
 Ruby >= 3.0

data/lib/acme/client/error.rb

@@ -9,6 +9,7 @@ class Acme::Client::Error < StandardError
   class CertificateNotReady < ClientError; end
   class ForcedChainNotFound < ClientError; end
   class OrderNotReady < ClientError; end
+  class OrderNotReloadable < ClientError; end
 
   class ServerError < Acme::Client::Error; end
   class AlreadyRevoked < ServerError; end

data/lib/acme/client/resources/account.rb

@@ -34,16 +34,18 @@ class Acme::Client::Resources::Account
       url: url,
       term_of_service: term_of_service,
       status: status,
-      contact: contact
+      contact: contact,
+      orders: orders_url
     }
   end
 
   private
 
-  def assign_attributes(url:, term_of_service:, status:, contact:)
+  def assign_attributes(url:, term_of_service:, status:, contact:, orders: nil)
     @url = url
     @term_of_service = term_of_service
     @status = status
     @contact = Array(contact)
+    @orders_url = orders
   end
 end

data/lib/acme/client/resources/authorization.rb

@@ -38,6 +38,13 @@ class Acme::Client::Resources::Authorization
   end
   alias_method :dns, :dns01
 
+  def dns_account_01
+    @dns_account_01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNSAccount01)
+    }
+  end
+  alias_method :dns_account, :dns_account_01
+
   def to_h
     {
       url: url,

data/lib/acme/client/resources/challenges/dns_account01.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# DNS-Account-01 challenge following draft-ietf-acme-dns-account-label-01
+# Enables multiple ACME clients to validate the same domain concurrently
+class Acme::Client::Resources::Challenges::DNSAccount01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-account-01'.freeze
+  RECORD_PREFIX = '_'.freeze
+  RECORD_SUFFIX = '._acme-challenge'.freeze
+  RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
+  BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'.freeze # RFC 4648 lowercase alphabet
+
+  # Generates account-specific DNS record name using SHA256(account_url) + Base32
+  # Format: _<base32_label>._acme-challenge
+  def record_name
+    digest = DIGEST.digest(@client.kid)[0, 10] # First 10 octets for label
+    bits = digest.unpack1('B*')
+    label = bits.scan(/.{5}/).map { |chunk| BASE32_ALPHABET[chunk.to_i(2)] }.join
+    "#{RECORD_PREFIX}#{label}#{RECORD_SUFFIX}"
+  end
+
+  def record_type
+    RECORD_TYPE
+  end
+
+  def record_content
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(key_authorization))
+  end
+end
+

data/lib/acme/client/resources/challenges.rb

@@ -4,11 +4,13 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/dns_account01'
   require 'acme/client/resources/challenges/unsupported_challenge'
 
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
-    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01,
+    'dns-account-01' => Acme::Client::Resources::Challenges::DNSAccount01
   }
 
   def self.new(client, type:, **arguments)

data/lib/acme/client/resources/directory.rb

@@ -14,7 +14,8 @@ class Acme::Client::Resources::Directory
     terms_of_service: 'termsOfService',
     website: 'website',
     caa_identities: 'caaIdentities',
-    external_account_required: 'externalAccountRequired'
+    external_account_required: 'externalAccountRequired',
+    profiles: 'profiles'
   }
 
   def initialize(client, **arguments)
@@ -45,6 +46,10 @@ class Acme::Client::Resources::Directory
     meta[DIRECTORY_META[:external_account_required]]
   end
 
+  def profiles
+    meta[DIRECTORY_META[:profiles]]
+  end
+
   def meta
     @directory[:meta]
   end

data/lib/acme/client/resources/order.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class Acme::Client::Resources::Order
-  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url
+  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url, :profile
 
   def initialize(client, **arguments)
     @client = client
@@ -9,6 +9,10 @@ class Acme::Client::Resources::Order
   end
 
   def reload
+    if url.nil?
+      raise Acme::Client::Error::OrderNotReloadable, 'Finalized orders are not reloadable for this CA'
+    end
+
     assign_attributes(**@client.order(url: url).to_h)
     true
   end
@@ -40,13 +44,14 @@ class Acme::Client::Resources::Order
       finalize_url: finalize_url,
       authorization_urls: authorization_urls,
       identifiers: identifiers,
-      certificate_url: certificate_url
+      certificate_url: certificate_url,
+      profile: profile
     }
   end
 
   private
 
-  def assign_attributes(url:, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil)
+  def assign_attributes(url: nil, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil, profile: nil) # rubocop:disable Layout/LineLength,Metrics/ParameterLists
     @url = url
     @status = status
     @expires = expires
@@ -54,5 +59,6 @@ class Acme::Client::Resources::Order
     @authorization_urls = authorization_urls
     @identifiers = identifiers
     @certificate_url = certificate_url
+    @profile = profile
   end
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.22'.freeze
+    VERSION = '2.0.26'.freeze
   end
 end

data/lib/acme/client.rb

@@ -135,11 +135,12 @@ class Acme::Client
     @kid ||= account.kid
   end
 
-  def new_order(identifiers:, not_before: nil, not_after: nil)
+  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil)
     payload = {}
     payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
+    payload['profile'] = profile if profile
 
     response = post(endpoint_for(:new_order), payload: payload)
     arguments = attributes_from_order_response(response)
@@ -253,6 +254,10 @@ class Acme::Client
     directory.external_account_required
   end
 
+  def profiles
+    directory.profiles
+  end
+
   private
 
   def load_directory
@@ -286,6 +291,7 @@ class Acme::Client
       response.body,
       :status,
       [:term_of_service, 'termsOfServiceAgreed'],
+      :orders,
       :contact
     )
   end
@@ -298,7 +304,8 @@ class Acme::Client
       [:finalize_url, 'finalize'],
       [:authorization_urls, 'authorizations'],
       [:certificate_url, 'certificate'],
-      :identifiers
+      :identifiers,
+      :profile
     )
 
     attributes[:url] = response.headers[:location] if response.headers[:location]

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.22
+  version: 2.0.26
 platform: ruby
 authors:
 - Charles Barbier
 bindir: bin
 cert_chain: []
-date: 2025-07-01 00:00:00.000000000 Z
+date: 2025-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -167,6 +167,7 @@ files:
 - lib/acme/client/resources/challenges.rb
 - lib/acme/client/resources/challenges/base.rb
 - lib/acme/client/resources/challenges/dns01.rb
+- lib/acme/client/resources/challenges/dns_account01.rb
 - lib/acme/client/resources/challenges/http01.rb
 - lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb