acme-client 2.0.25 → 2.0.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57864d566a88b4298a243bfaa6f34b5556a7aa1f36f41fd4e61636d0e7fae74e
-  data.tar.gz: c68a9476baa8fad93f9373e16d3dad6249edb2cc7f007d0d1bf4386cf0cf7f6e
+  metadata.gz: d41b8df6f16f62b2bd33a0fd960d7675c02e1d065fb3bf3466b58f59aad3a740
+  data.tar.gz: 846346e6d27381ea63fa1cb82b9044bef0acc25e5ca38ebf332fb692c02b577e
 SHA512:
-  metadata.gz: c2cb942f81bfb49f952f955b9eea415b86718c8fe4fb3426cf7cdc1fcb8925b97dfe20e07300480fef894b6438ab5b2046d670564f8bc66a8a80bd5f14e2a282
-  data.tar.gz: f5343edaa0fb6543d2f37e6017732969e63e687c9db877ff8ba188444244e1a180b59cedfbbef12d021a702f65cb089fc08f0ec79ab2363b660343d9df421f5c
+  metadata.gz: 49cda221593c2902534457cd4b89e7c24fedc3ee33f52ae4af5e83df14e4baf0cd68e547ec95c54e4dffd2fa1aea2989e51f371f5abfb37cc0630e7e4176977f
+  data.tar.gz: '059a4b9b2f260ab7dc8cb3f069120c74b3f76ec4ce5d6ff22f7eb625b75c6c032bfca3709795e247f82873d022a2f1e09ef939687e7c0f74589564cae41c9c94'

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## `2.0.27`
+
+*  Add support for Renewal Information (ARI) (RFC 9773)
+
+## `2.0.26`
+
+* Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)
+
 ## `2.0.25`
 
 * Add support for profiles extension

data/README.md

@@ -120,9 +120,11 @@ To order a new certificate, the client must provide a list of identifiers.
 
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
 
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
+Each authorization contains multiple challenges, typically a `dns-01`, `dns-account-01`, and a `http-01` challenge. The applicant is only required to complete one of the challenges.
 
-You can access the challenge you wish to complete using the `#dns` or `#http` method.
+The `dns-account-01` challenge prepends an account-specific label before `_acme-challenge`, producing a record name of the form `_<label>._acme-challenge` so different clients can validate the same domain concurrently.
+
+You can access the challenge you wish to complete using the `#dns`, `#dns_account`, or `#http` methods.
 
 ```ruby
 order = client.new_order(identifiers: ['example.com'])
@@ -165,6 +167,25 @@ dns_challenge.record_type # => 'TXT'
 dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
 ```
 
+### Preparing for DNS-Account-01 challenge
+
+To complete the DNS-Account-01 challenge, you must set a DNS TXT record using an account-specific name. This allows multiple ACME clients to validate the same domain concurrently without conflicts.
+
+The DNSAccount01 object has utility methods to generate the required DNS record:
+
+```ruby
+dns_account_challenge = authorization.dns_account
+
+dns_account_challenge.record_name    # => '_ujmmovf2vn55tgye._acme-challenge'
+dns_account_challenge.record_type    # => 'TXT'
+dns_account_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
+
+The record name includes an account-specific label derived from your account URL, ensuring different clients can validate simultaneously:
+
+- **DNS-01**: `_acme-challenge.example.com` (shared)
+- **DNS-Account-01**: `_ujmmovf2vn55tgye._acme-challenge.example.com` (account-specific)
+
 ### Requesting a challenge verification
 
 Once you are ready to complete the challenge, you can request the server perform the verification.

data/lib/acme/client/error.rb

@@ -12,6 +12,7 @@ class Acme::Client::Error < StandardError
   class OrderNotReloadable < ClientError; end
 
   class ServerError < Acme::Client::Error; end
+  class AlreadyReplaced < ServerError; end
   class AlreadyRevoked < ServerError; end
   class BadCSR < ServerError; end
   class BadNonce < ServerError; end
@@ -36,6 +37,7 @@ class Acme::Client::Error < StandardError
   class IncorrectResponse < ServerError; end
 
   ACME_ERRORS = {
+    'urn:ietf:params:acme:error:alreadyReplaced' => AlreadyReplaced,
     'urn:ietf:params:acme:error:alreadyRevoked' => AlreadyRevoked,
     'urn:ietf:params:acme:error:badCSR' => BadCSR,
     'urn:ietf:params:acme:error:badNonce' => BadNonce,

data/lib/acme/client/resources/authorization.rb

@@ -38,6 +38,13 @@ class Acme::Client::Resources::Authorization
   end
   alias_method :dns, :dns01
 
+  def dns_account_01
+    @dns_account_01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNSAccount01)
+    }
+  end
+  alias_method :dns_account, :dns_account_01
+
   def to_h
     {
       url: url,

data/lib/acme/client/resources/challenges/dns_account01.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# DNS-Account-01 challenge following draft-ietf-acme-dns-account-label-01
+# Enables multiple ACME clients to validate the same domain concurrently
+class Acme::Client::Resources::Challenges::DNSAccount01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-account-01'.freeze
+  RECORD_PREFIX = '_'.freeze
+  RECORD_SUFFIX = '._acme-challenge'.freeze
+  RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
+  BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'.freeze # RFC 4648 lowercase alphabet
+
+  # Generates account-specific DNS record name using SHA256(account_url) + Base32
+  # Format: _<base32_label>._acme-challenge
+  def record_name
+    digest = DIGEST.digest(@client.kid)[0, 10] # First 10 octets for label
+    bits = digest.unpack1('B*')
+    label = bits.scan(/.{5}/).map { |chunk| BASE32_ALPHABET[chunk.to_i(2)] }.join
+    "#{RECORD_PREFIX}#{label}#{RECORD_SUFFIX}"
+  end
+
+  def record_type
+    RECORD_TYPE
+  end
+
+  def record_content
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(key_authorization))
+  end
+end
+

data/lib/acme/client/resources/challenges.rb

@@ -4,11 +4,13 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/dns_account01'
   require 'acme/client/resources/challenges/unsupported_challenge'
 
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
-    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01,
+    'dns-account-01' => Acme::Client::Resources::Challenges::DNSAccount01
   }
 
   def self.new(client, type:, **arguments)

data/lib/acme/client/resources/directory.rb

@@ -7,7 +7,8 @@ class Acme::Client::Resources::Directory
     new_order: 'newOrder',
     new_authz: 'newAuthz',
     revoke_certificate: 'revokeCert',
-    key_change: 'keyChange'
+    key_change: 'keyChange',
+    renewal_info: 'renewalInfo'
   }
 
   DIRECTORY_META = {

data/lib/acme/client/resources/renewal_info.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+class Acme::Client::Resources::RenewalInfo
+  attr_reader :suggested_window, :explanation_url, :retry_after
+
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
+  end
+
+  def suggested_window_start
+    suggested_window&.fetch('start', nil)
+  end
+
+  def suggested_window_end
+    suggested_window&.fetch('end', nil)
+  end
+
+  def suggested_renewal_time
+    return nil unless suggested_window_start && suggested_window_end
+
+    start_time = DateTime.rfc3339(suggested_window_start).to_time
+    end_time = DateTime.rfc3339(suggested_window_end).to_time
+    window_duration = end_time - start_time
+
+    random_offset = rand(0.0..window_duration)
+    selected_time = start_time + random_offset
+
+    selected_time > Time.now ? selected_time : Time.now
+  end
+
+  def to_h
+    {
+      suggested_window: suggested_window,
+      explanation_url: explanation_url,
+      retry_after: retry_after
+    }
+  end
+
+  private
+
+  def assign_attributes(suggested_window:, explanation_url: nil, retry_after: nil)
+    @suggested_window = suggested_window
+    @explanation_url = explanation_url
+    @retry_after = retry_after
+  end
+end

data/lib/acme/client/resources.rb

@@ -5,3 +5,4 @@ require 'acme/client/resources/account'
 require 'acme/client/resources/order'
 require 'acme/client/resources/authorization'
 require 'acme/client/resources/challenges'
+require 'acme/client/resources/renewal_info'

data/lib/acme/client/util.rb

@@ -32,4 +32,41 @@ module Acme::Client::Util
       raise ArgumentError, 'priv must be EC or RSA'
     end
   end
+
+  # Generates a certificate identifier for ACME Renewal Information (ARI) as per RFC 9773.
+  # The identifier is constructed by extracting the Authority Key Identifier (AKI) from
+  # the certificate extension, and the DER-encoded serial number (without tag and length bytes).
+  # Both values are base64url-encoded and concatenated with a period separator.
+  #
+  # certificate - An OpenSSL::X509::Certificate instance or PEM string.
+  #
+  # Returns a string in the format: base64url(AKI).base64url(serial)
+  def ari_certificate_identifier(certificate)
+    cert = if certificate.is_a?(OpenSSL::X509::Certificate)
+      certificate
+    else
+      OpenSSL::X509::Certificate.new(certificate)
+    end
+
+    aki_ext = cert.extensions.find { |ext| ext.oid == 'authorityKeyIdentifier' }
+    raise ArgumentError, 'Certificate does not have an Authority Key Identifier extension' unless aki_ext
+
+    aki_value = aki_ext.value
+    hex_string = if aki_value =~ /keyid:([0-9A-Fa-f:]+)/
+      $1
+    elsif aki_value =~ /^[0-9A-Fa-f:]+$/
+      aki_value
+    else
+      raise ArgumentError, 'Could not parse Authority Key Identifier'
+    end
+
+    key_identifier = hex_string.split(':').map { |hex| hex.to_i(16).chr }.join
+    serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+    serial_value = OpenSSL::ASN1.decode(serial_der).value.to_s(2)
+
+    aki_b64 = urlsafe_base64(key_identifier)
+    serial_b64 = urlsafe_base64(serial_value)
+
+    "#{aki_b64}.#{serial_b64}"
+  end
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.25'.freeze
+    VERSION = '2.0.27'.freeze
   end
 end

data/lib/acme/client.rb

@@ -135,12 +135,13 @@ class Acme::Client
     @kid ||= account.kid
   end
 
-  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil)
+  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil, replaces: nil)
     payload = {}
     payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
     payload['profile'] = profile if profile
+    payload['replaces'] = replaces if replaces
 
     response = post(endpoint_for(:new_order), payload: payload)
     arguments = attributes_from_order_response(response)
@@ -223,6 +224,15 @@ class Acme::Client
     response.success?
   end
 
+  def renewal_info(certificate:)
+    cert_id = Acme::Client::Util.ari_certificate_identifier(certificate)
+    renewal_info_url = URI.join(endpoint_for(:renewal_info).to_s + '/', cert_id).to_s
+
+    response = get(renewal_info_url)
+    attributes = attributes_from_renewal_info_response(response)
+    Acme::Client::Resources::RenewalInfo.new(self, **attributes)
+  end
+
   def get_nonce
     http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce), options: @connection_options)
     response = http_client.head(nil, nil)
@@ -320,6 +330,16 @@ class Acme::Client
     extract_attributes(response.body, :status, :url, :token, :type, :error, :validated)
   end
 
+  def attributes_from_renewal_info_response(response)
+    attributes = extract_attributes(
+      response.body,
+      [:suggested_window, 'suggestedWindow'],
+      [:explanation_url, 'explanationURL']
+    )
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
+    attributes
+  end
+
   def extract_attributes(input, *attributes)
     attributes
       .map {|fields| Array(fields) }

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.25
+  version: 2.0.27
 platform: ruby
 authors:
 - Charles Barbier
 bindir: bin
 cert_chain: []
-date: 2025-08-07 00:00:00.000000000 Z
+date: 2025-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -167,10 +167,12 @@ files:
 - lib/acme/client/resources/challenges.rb
 - lib/acme/client/resources/challenges/base.rb
 - lib/acme/client/resources/challenges/dns01.rb
+- lib/acme/client/resources/challenges/dns_account01.rb
 - lib/acme/client/resources/challenges/http01.rb
 - lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb
 - lib/acme/client/resources/order.rb
+- lib/acme/client/resources/renewal_info.rb
 - lib/acme/client/self_sign_certificate.rb
 - lib/acme/client/util.rb
 - lib/acme/client/version.rb