RubyGems - acme-client - Versions diffs - 2.0.24 → 2.0.26 - Mend

acme-client 2.0.24 → 2.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/README.md +39 -2
data/lib/acme/client/resources/authorization.rb +7 -0
data/lib/acme/client/resources/challenges/dns_account01.rb +30 -0
data/lib/acme/client/resources/challenges.rb +3 -1
data/lib/acme/client/resources/directory.rb +6 -1
data/lib/acme/client/resources/order.rb +5 -3
data/lib/acme/client/version.rb +1 -1
data/lib/acme/client.rb +8 -2
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b0f522907016ad60be1773ed0e41a6d552a3fb1f9d5f617388340fcf037db767
-  data.tar.gz: a93d0b384803456b1dbfc12ee5b2412bb24450d0766c8bc8b8ffc72c3bc92e14
+  metadata.gz: f24f8baac91c1bff36891f14b0ec6d1fb3a9265cf771f2ae943b49dac5a96d2e
+  data.tar.gz: 4f84da04feeea6ae55ab875ab835194bf71182e8cabf7d56e574d79d80e988ae
 SHA512:
-  metadata.gz: f31a72029014b278afb4cd85363464e9a66b61be1238c1658428f6027efa1f20c9bf632e72d87dcbd8dc78d4cbfe62cab7a05ebc5c7cf9c1f6df441a32bc0f57
-  data.tar.gz: 72dd5642162be71f215f03459879933fd865445dbcf5a131a65499baa443e325e6d4d76bbfb743e256eae063f05726bb328b6a76afb6def19b3fed9b3302d51e
+  metadata.gz: 1e4a73d22af2fec3e323859f5386308c046c32b443952f81c9ce1811562eae0ec92c0a3bd683c0806bd85ca605bda5468bdf7534b224b94a65a7fe1b1222cce4
+  data.tar.gz: 84722131dd304475f45459ff78b4a0eda6ccf1a6d0aa2ffbdb2092cb17446ffc62db288ba429ee6a2080779dde273487718cddf27cc7d07b1850210401222b63

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## `2.0.26`
+* Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)
+## `2.0.25`
+* Add support for profiles extension
 ## `2.0.24`
 * Add support for account orders url attribute.

data/README.md CHANGED Viewed

@@ -120,9 +120,11 @@ To order a new certificate, the client must provide a list of identifiers.
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
+Each authorization contains multiple challenges, typically a `dns-01`, `dns-account-01`, and a `http-01` challenge. The applicant is only required to complete one of the challenges.
-You can access the challenge you wish to complete using the `#dns` or `#http` method.
+The `dns-account-01` challenge prepends an account-specific label before `_acme-challenge`, producing a record name of the form `_<label>._acme-challenge` so different clients can validate the same domain concurrently.
+You can access the challenge you wish to complete using the `#dns`, `#dns_account`, or `#http` methods.
 ```ruby
 order = client.new_order(identifiers: ['example.com'])
@@ -165,6 +167,25 @@ dns_challenge.record_type # => 'TXT'
 dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
 ```
+### Preparing for DNS-Account-01 challenge
+To complete the DNS-Account-01 challenge, you must set a DNS TXT record using an account-specific name. This allows multiple ACME clients to validate the same domain concurrently without conflicts.
+The DNSAccount01 object has utility methods to generate the required DNS record:
+```ruby
+dns_account_challenge = authorization.dns_account
+dns_account_challenge.record_name    # => '_ujmmovf2vn55tgye._acme-challenge'
+dns_account_challenge.record_type    # => 'TXT'
+dns_account_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
+The record name includes an account-specific label derived from your account URL, ensuring different clients can validate simultaneously:
+- **DNS-01**: `_acme-challenge.example.com` (shared)
+- **DNS-Account-01**: `_ujmmovf2vn55tgye._acme-challenge.example.com` (account-specific)
 ### Requesting a challenge verification
 Once you are ready to complete the challenge, you can request the server perform the verification.
@@ -244,6 +265,22 @@ new_private_key = OpenSSL::PKey::RSA.new(4096)
 client.account_key_change(new_private_key: new_private_key)
 ```
+### Profile Extension
+Provide a CA profile when creating a new order:
+```ruby
+order = client.new_order(identifiers: ['example.com'], profile: 'shortlived')
+```
+ACME servers may list supported profiles in the directory endpoint:
+```ruby
+client.profiles => {"classic": "https://example.com/docs/classic", "shortlived": "https://example.com/docs/shortlived"}
+```
+See the [RFC draft of certificate profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/) for more info.
 ## Requirements
 Ruby >= 3.0

data/lib/acme/client/resources/authorization.rb CHANGED Viewed

@@ -38,6 +38,13 @@ class Acme::Client::Resources::Authorization
   end
   alias_method :dns, :dns01
+  def dns_account_01
+    @dns_account_01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNSAccount01)
+    }
+  end
+  alias_method :dns_account, :dns_account_01
   def to_h
     {
       url: url,

data/lib/acme/client/resources/challenges/dns_account01.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+# DNS-Account-01 challenge following draft-ietf-acme-dns-account-label-01
+# Enables multiple ACME clients to validate the same domain concurrently
+class Acme::Client::Resources::Challenges::DNSAccount01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-account-01'.freeze
+  RECORD_PREFIX = '_'.freeze
+  RECORD_SUFFIX = '._acme-challenge'.freeze
+  RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
+  BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'.freeze # RFC 4648 lowercase alphabet
+  # Generates account-specific DNS record name using SHA256(account_url) + Base32
+  # Format: _<base32_label>._acme-challenge
+  def record_name
+    digest = DIGEST.digest(@client.kid)[0, 10] # First 10 octets for label
+    bits = digest.unpack1('B*')
+    label = bits.scan(/.{5}/).map { |chunk| BASE32_ALPHABET[chunk.to_i(2)] }.join
+    "#{RECORD_PREFIX}#{label}#{RECORD_SUFFIX}"
+  end
+  def record_type
+    RECORD_TYPE
+  end
+  def record_content
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(key_authorization))
+  end
+end

data/lib/acme/client/resources/challenges.rb CHANGED Viewed

@@ -4,11 +4,13 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/dns_account01'
   require 'acme/client/resources/challenges/unsupported_challenge'
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
-    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01,
+    'dns-account-01' => Acme::Client::Resources::Challenges::DNSAccount01
   }
   def self.new(client, type:, **arguments)

data/lib/acme/client/resources/directory.rb CHANGED Viewed

@@ -14,7 +14,8 @@ class Acme::Client::Resources::Directory
     terms_of_service: 'termsOfService',
     website: 'website',
     caa_identities: 'caaIdentities',
-    external_account_required: 'externalAccountRequired'
+    external_account_required: 'externalAccountRequired',
+    profiles: 'profiles'
   }
   def initialize(client, **arguments)
@@ -45,6 +46,10 @@ class Acme::Client::Resources::Directory
     meta[DIRECTORY_META[:external_account_required]]
   end
+  def profiles
+    meta[DIRECTORY_META[:profiles]]
+  end
   def meta
     @directory[:meta]
   end

data/lib/acme/client/resources/order.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 class Acme::Client::Resources::Order
-  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url
+  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url, :profile
   def initialize(client, **arguments)
     @client = client
@@ -44,13 +44,14 @@ class Acme::Client::Resources::Order
       finalize_url: finalize_url,
       authorization_urls: authorization_urls,
       identifiers: identifiers,
-      certificate_url: certificate_url
+      certificate_url: certificate_url,
+      profile: profile
     }
   end
   private
-  def assign_attributes(url: nil, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil)
+  def assign_attributes(url: nil, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil, profile: nil) # rubocop:disable Layout/LineLength,Metrics/ParameterLists
     @url = url
     @status = status
     @expires = expires
@@ -58,5 +59,6 @@ class Acme::Client::Resources::Order
     @authorization_urls = authorization_urls
     @identifiers = identifiers
     @certificate_url = certificate_url
+    @profile = profile
   end
 end

data/lib/acme/client/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Acme
   class Client
-    VERSION = '2.0.24'.freeze
+    VERSION = '2.0.26'.freeze
   end
 end

data/lib/acme/client.rb CHANGED Viewed

@@ -135,11 +135,12 @@ class Acme::Client
     @kid ||= account.kid
   end
-  def new_order(identifiers:, not_before: nil, not_after: nil)
+  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil)
     payload = {}
     payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
+    payload['profile'] = profile if profile
     response = post(endpoint_for(:new_order), payload: payload)
     arguments = attributes_from_order_response(response)
@@ -253,6 +254,10 @@ class Acme::Client
     directory.external_account_required
   end
+  def profiles
+    directory.profiles
+  end
   private
   def load_directory
@@ -299,7 +304,8 @@ class Acme::Client
       [:finalize_url, 'finalize'],
       [:authorization_urls, 'authorizations'],
       [:certificate_url, 'certificate'],
-      :identifiers
+      :identifiers,
+      :profile
     )
     attributes[:url] = response.headers[:location] if response.headers[:location]

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.24
+  version: 2.0.26
 platform: ruby
 authors:
 - Charles Barbier
 bindir: bin
 cert_chain: []
-date: 2025-08-05 00:00:00.000000000 Z
+date: 2025-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -167,6 +167,7 @@ files:
 - lib/acme/client/resources/challenges.rb
 - lib/acme/client/resources/challenges/base.rb
 - lib/acme/client/resources/challenges/dns01.rb
+- lib/acme/client/resources/challenges/dns_account01.rb
 - lib/acme/client/resources/challenges/http01.rb
 - lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb