acme-client 2.0.26 → 2.0.28

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f24f8baac91c1bff36891f14b0ec6d1fb3a9265cf771f2ae943b49dac5a96d2e
-  data.tar.gz: 4f84da04feeea6ae55ab875ab835194bf71182e8cabf7d56e574d79d80e988ae
+  metadata.gz: c77ea7f7e3923d5c76ddd26c802ade553e7875f0f95b753a240f06c1e77e3689
+  data.tar.gz: 4f7a6f073795c9328b7322bd39f5640fb53e89c2b3790417ea2be2f2f13c5e7e
 SHA512:
-  metadata.gz: 1e4a73d22af2fec3e323859f5386308c046c32b443952f81c9ce1811562eae0ec92c0a3bd683c0806bd85ca605bda5468bdf7534b224b94a65a7fe1b1222cce4
-  data.tar.gz: 84722131dd304475f45459ff78b4a0eda6ccf1a6d0aa2ffbdb2092cb17446ffc62db288ba429ee6a2080779dde273487718cddf27cc7d07b1850210401222b63
+  metadata.gz: e12eae043f2e3b8fd505b88980f45336aee50013c23297ef8dd6f3f58cb427c62be9d0d1098dee4242fe258bc12b3bf417b22e3be772c3bcf8d6eb9b15748b75
+  data.tar.gz: 24fb6340f56d6eb998d57706dbfb92f92a64f488157410d0997e38bda9c009e541c4a2e5686d936d1be5a5c40aee39bcb3d8953edea86ddea4d0915c87344cfa

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## `2.0.28`
+
+*  Make [Retry-After](https://datatracker.ietf.org/doc/html/rfc8555/#section-6.6) accessible from RateLimited#retry_after exceptions
+
+## `2.0.27`
+
+*  Add support for Renewal Information (ARI) (RFC 9773)
+
 ## `2.0.26`
 
 * Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)

data/lib/acme/client/error/rate_limited.rb

@@ -0,0 +1,8 @@
+class Acme::Client::Error::RateLimited < Acme::Client::Error::ServerError
+  attr_reader :retry_after
+
+  def initialize(message, retry_after = 10)
+    super(message)
+    @retry_after = retry_after.nil? ? 10 : retry_after.to_i
+  end
+end

data/lib/acme/client/error.rb

@@ -12,6 +12,7 @@ class Acme::Client::Error < StandardError
   class OrderNotReloadable < ClientError; end
 
   class ServerError < Acme::Client::Error; end
+  class AlreadyReplaced < ServerError; end
   class AlreadyRevoked < ServerError; end
   class BadCSR < ServerError; end
   class BadNonce < ServerError; end
@@ -36,6 +37,7 @@ class Acme::Client::Error < StandardError
   class IncorrectResponse < ServerError; end
 
   ACME_ERRORS = {
+    'urn:ietf:params:acme:error:alreadyReplaced' => AlreadyReplaced,
     'urn:ietf:params:acme:error:alreadyRevoked' => AlreadyRevoked,
     'urn:ietf:params:acme:error:badCSR' => BadCSR,
     'urn:ietf:params:acme:error:badNonce' => BadNonce,

data/lib/acme/client/http_client.rb

@@ -101,6 +101,9 @@ module Acme::Client::HTTPClient
     end
 
     def raise_on_error!
+      if error_class == Acme::Client::Error::RateLimited
+        raise error_class.new(error_message, env.response_headers['Retry-After'])
+      end
       raise error_class, error_message
     end
 

data/lib/acme/client/resources/directory.rb

@@ -7,7 +7,8 @@ class Acme::Client::Resources::Directory
     new_order: 'newOrder',
     new_authz: 'newAuthz',
     revoke_certificate: 'revokeCert',
-    key_change: 'keyChange'
+    key_change: 'keyChange',
+    renewal_info: 'renewalInfo'
   }
 
   DIRECTORY_META = {

data/lib/acme/client/resources/renewal_info.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+class Acme::Client::Resources::RenewalInfo
+  attr_reader :suggested_window, :explanation_url, :retry_after
+
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
+  end
+
+  def suggested_window_start
+    suggested_window&.fetch('start', nil)
+  end
+
+  def suggested_window_end
+    suggested_window&.fetch('end', nil)
+  end
+
+  def suggested_renewal_time
+    return nil unless suggested_window_start && suggested_window_end
+
+    start_time = DateTime.rfc3339(suggested_window_start).to_time
+    end_time = DateTime.rfc3339(suggested_window_end).to_time
+    window_duration = end_time - start_time
+
+    random_offset = rand(0.0..window_duration)
+    selected_time = start_time + random_offset
+
+    selected_time > Time.now ? selected_time : Time.now
+  end
+
+  def to_h
+    {
+      suggested_window: suggested_window,
+      explanation_url: explanation_url,
+      retry_after: retry_after
+    }
+  end
+
+  private
+
+  def assign_attributes(suggested_window:, explanation_url: nil, retry_after: nil)
+    @suggested_window = suggested_window
+    @explanation_url = explanation_url
+    @retry_after = retry_after
+  end
+end

data/lib/acme/client/resources.rb

@@ -5,3 +5,4 @@ require 'acme/client/resources/account'
 require 'acme/client/resources/order'
 require 'acme/client/resources/authorization'
 require 'acme/client/resources/challenges'
+require 'acme/client/resources/renewal_info'

data/lib/acme/client/util.rb

@@ -32,4 +32,41 @@ module Acme::Client::Util
       raise ArgumentError, 'priv must be EC or RSA'
     end
   end
+
+  # Generates a certificate identifier for ACME Renewal Information (ARI) as per RFC 9773.
+  # The identifier is constructed by extracting the Authority Key Identifier (AKI) from
+  # the certificate extension, and the DER-encoded serial number (without tag and length bytes).
+  # Both values are base64url-encoded and concatenated with a period separator.
+  #
+  # certificate - An OpenSSL::X509::Certificate instance or PEM string.
+  #
+  # Returns a string in the format: base64url(AKI).base64url(serial)
+  def ari_certificate_identifier(certificate)
+    cert = if certificate.is_a?(OpenSSL::X509::Certificate)
+      certificate
+    else
+      OpenSSL::X509::Certificate.new(certificate)
+    end
+
+    aki_ext = cert.extensions.find { |ext| ext.oid == 'authorityKeyIdentifier' }
+    raise ArgumentError, 'Certificate does not have an Authority Key Identifier extension' unless aki_ext
+
+    aki_value = aki_ext.value
+    hex_string = if aki_value =~ /keyid:([0-9A-Fa-f:]+)/
+      $1
+    elsif aki_value =~ /^[0-9A-Fa-f:]+$/
+      aki_value
+    else
+      raise ArgumentError, 'Could not parse Authority Key Identifier'
+    end
+
+    key_identifier = hex_string.split(':').map { |hex| hex.to_i(16).chr }.join
+    serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+    serial_value = OpenSSL::ASN1.decode(serial_der).value.to_s(2)
+
+    aki_b64 = urlsafe_base64(key_identifier)
+    serial_b64 = urlsafe_base64(serial_value)
+
+    "#{aki_b64}.#{serial_b64}"
+  end
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.26'.freeze
+    VERSION = '2.0.28'.freeze
   end
 end

data/lib/acme/client.rb

@@ -20,6 +20,7 @@ require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
 require 'acme/client/jwk'
 require 'acme/client/error'
+require 'acme/client/error/rate_limited'
 require 'acme/client/util'
 require 'acme/client/chain_identifier'
 
@@ -135,12 +136,13 @@ class Acme::Client
     @kid ||= account.kid
   end
 
-  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil)
+  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil, replaces: nil)
     payload = {}
     payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
     payload['profile'] = profile if profile
+    payload['replaces'] = replaces if replaces
 
     response = post(endpoint_for(:new_order), payload: payload)
     arguments = attributes_from_order_response(response)
@@ -223,6 +225,15 @@ class Acme::Client
     response.success?
   end
 
+  def renewal_info(certificate:)
+    cert_id = Acme::Client::Util.ari_certificate_identifier(certificate)
+    renewal_info_url = URI.join(endpoint_for(:renewal_info).to_s + '/', cert_id).to_s
+
+    response = get(renewal_info_url)
+    attributes = attributes_from_renewal_info_response(response)
+    Acme::Client::Resources::RenewalInfo.new(self, **attributes)
+  end
+
   def get_nonce
     http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce), options: @connection_options)
     response = http_client.head(nil, nil)
@@ -320,6 +331,16 @@ class Acme::Client
     extract_attributes(response.body, :status, :url, :token, :type, :error, :validated)
   end
 
+  def attributes_from_renewal_info_response(response)
+    attributes = extract_attributes(
+      response.body,
+      [:suggested_window, 'suggestedWindow'],
+      [:explanation_url, 'explanationURL']
+    )
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
+    attributes
+  end
+
   def extract_attributes(input, *attributes)
     attributes
       .map {|fields| Array(fields) }

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.26
+  version: 2.0.28
 platform: ruby
 authors:
 - Charles Barbier
 bindir: bin
 cert_chain: []
-date: 2025-09-24 00:00:00.000000000 Z
+date: 2025-11-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -155,6 +155,7 @@ files:
 - lib/acme/client/certificate_request/ec_key_patch.rb
 - lib/acme/client/chain_identifier.rb
 - lib/acme/client/error.rb
+- lib/acme/client/error/rate_limited.rb
 - lib/acme/client/http_client.rb
 - lib/acme/client/jwk.rb
 - lib/acme/client/jwk/base.rb
@@ -172,6 +173,7 @@ files:
 - lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb
 - lib/acme/client/resources/order.rb
+- lib/acme/client/resources/renewal_info.rb
 - lib/acme/client/self_sign_certificate.rb
 - lib/acme/client/util.rb
 - lib/acme/client/version.rb