RubyGems - acme-client - Versions diffs - 2.0.25 → 2.0.26 - Mend

acme-client 2.0.25 → 2.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +23 -2
data/lib/acme/client/resources/authorization.rb +7 -0
data/lib/acme/client/resources/challenges/dns_account01.rb +30 -0
data/lib/acme/client/resources/challenges.rb +3 -1
data/lib/acme/client/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57864d566a88b4298a243bfaa6f34b5556a7aa1f36f41fd4e61636d0e7fae74e
-  data.tar.gz: c68a9476baa8fad93f9373e16d3dad6249edb2cc7f007d0d1bf4386cf0cf7f6e
+  metadata.gz: f24f8baac91c1bff36891f14b0ec6d1fb3a9265cf771f2ae943b49dac5a96d2e
+  data.tar.gz: 4f84da04feeea6ae55ab875ab835194bf71182e8cabf7d56e574d79d80e988ae
 SHA512:
-  metadata.gz: c2cb942f81bfb49f952f955b9eea415b86718c8fe4fb3426cf7cdc1fcb8925b97dfe20e07300480fef894b6438ab5b2046d670564f8bc66a8a80bd5f14e2a282
-  data.tar.gz: f5343edaa0fb6543d2f37e6017732969e63e687c9db877ff8ba188444244e1a180b59cedfbbef12d021a702f65cb089fc08f0ec79ab2363b660343d9df421f5c
+  metadata.gz: 1e4a73d22af2fec3e323859f5386308c046c32b443952f81c9ce1811562eae0ec92c0a3bd683c0806bd85ca605bda5468bdf7534b224b94a65a7fe1b1222cce4
+  data.tar.gz: 84722131dd304475f45459ff78b4a0eda6ccf1a6d0aa2ffbdb2092cb17446ffc62db288ba429ee6a2080779dde273487718cddf27cc7d07b1850210401222b63

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## `2.0.26`
+* Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)
 ## `2.0.25`
 * Add support for profiles extension

data/README.md CHANGED Viewed

@@ -120,9 +120,11 @@ To order a new certificate, the client must provide a list of identifiers.
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
+Each authorization contains multiple challenges, typically a `dns-01`, `dns-account-01`, and a `http-01` challenge. The applicant is only required to complete one of the challenges.
-You can access the challenge you wish to complete using the `#dns` or `#http` method.
+The `dns-account-01` challenge prepends an account-specific label before `_acme-challenge`, producing a record name of the form `_<label>._acme-challenge` so different clients can validate the same domain concurrently.
+You can access the challenge you wish to complete using the `#dns`, `#dns_account`, or `#http` methods.
 ```ruby
 order = client.new_order(identifiers: ['example.com'])
@@ -165,6 +167,25 @@ dns_challenge.record_type # => 'TXT'
 dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
 ```
+### Preparing for DNS-Account-01 challenge
+To complete the DNS-Account-01 challenge, you must set a DNS TXT record using an account-specific name. This allows multiple ACME clients to validate the same domain concurrently without conflicts.
+The DNSAccount01 object has utility methods to generate the required DNS record:
+```ruby
+dns_account_challenge = authorization.dns_account
+dns_account_challenge.record_name    # => '_ujmmovf2vn55tgye._acme-challenge'
+dns_account_challenge.record_type    # => 'TXT'
+dns_account_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
+The record name includes an account-specific label derived from your account URL, ensuring different clients can validate simultaneously:
+- **DNS-01**: `_acme-challenge.example.com` (shared)
+- **DNS-Account-01**: `_ujmmovf2vn55tgye._acme-challenge.example.com` (account-specific)
 ### Requesting a challenge verification
 Once you are ready to complete the challenge, you can request the server perform the verification.

data/lib/acme/client/resources/authorization.rb CHANGED Viewed

@@ -38,6 +38,13 @@ class Acme::Client::Resources::Authorization
   end
   alias_method :dns, :dns01
+  def dns_account_01
+    @dns_account_01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNSAccount01)
+    }
+  end
+  alias_method :dns_account, :dns_account_01
   def to_h
     {
       url: url,

data/lib/acme/client/resources/challenges/dns_account01.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+# DNS-Account-01 challenge following draft-ietf-acme-dns-account-label-01
+# Enables multiple ACME clients to validate the same domain concurrently
+class Acme::Client::Resources::Challenges::DNSAccount01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-account-01'.freeze
+  RECORD_PREFIX = '_'.freeze
+  RECORD_SUFFIX = '._acme-challenge'.freeze
+  RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
+  BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'.freeze # RFC 4648 lowercase alphabet
+  # Generates account-specific DNS record name using SHA256(account_url) + Base32
+  # Format: _<base32_label>._acme-challenge
+  def record_name
+    digest = DIGEST.digest(@client.kid)[0, 10] # First 10 octets for label
+    bits = digest.unpack1('B*')
+    label = bits.scan(/.{5}/).map { |chunk| BASE32_ALPHABET[chunk.to_i(2)] }.join
+    "#{RECORD_PREFIX}#{label}#{RECORD_SUFFIX}"
+  end
+  def record_type
+    RECORD_TYPE
+  end
+  def record_content
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(key_authorization))
+  end
+end

data/lib/acme/client/resources/challenges.rb CHANGED Viewed

@@ -4,11 +4,13 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/dns_account01'
   require 'acme/client/resources/challenges/unsupported_challenge'
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
-    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01,
+    'dns-account-01' => Acme::Client::Resources::Challenges::DNSAccount01
   }
   def self.new(client, type:, **arguments)

data/lib/acme/client/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Acme
   class Client
-    VERSION = '2.0.25'.freeze
+    VERSION = '2.0.26'.freeze
   end
 end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.25
+  version: 2.0.26
 platform: ruby
 authors:
 - Charles Barbier
 bindir: bin
 cert_chain: []
-date: 2025-08-07 00:00:00.000000000 Z
+date: 2025-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -167,6 +167,7 @@ files:
 - lib/acme/client/resources/challenges.rb
 - lib/acme/client/resources/challenges/base.rb
 - lib/acme/client/resources/challenges/dns01.rb
+- lib/acme/client/resources/challenges/dns_account01.rb
 - lib/acme/client/resources/challenges/http01.rb
 - lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb