acme_nsupdate 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 32a1bde5ca74c8eaf4a6f1aa2ede91a30dda38e1
-  data.tar.gz: 44e2a5ecd61941bf5e467fcbb1fe42bb6a4cebb8
+SHA256:
+  metadata.gz: bc260ec101b559b2dfd436b9e0b5966b2311c37b32094b868df7bb334aee9312
+  data.tar.gz: 0a0de9a4ba9e2b098216ad042ff7be40c58c92e10695bf40996f8f7a4354e688
 SHA512:
-  metadata.gz: 28a1ce36f68802da49560a58817b5c8948ca3c558dc9ff77594a323d0e560dde0e148c5cb8cb96a7c82ab15bc881386f0f581d0b6ae1e0f55875f3493d733d01
-  data.tar.gz: fa53966b1dd97027a6676bca98436ad1dcbce484cfaa997a51f8f278eea948a9aeb2a74614d2d8d6ab4007ec2a688d132051daa7acd2594f0b9f165fe08fdf43
+  metadata.gz: f443e2e27948180e54b17af0a4b3f71829544ff6f4ff2407bf8c2245812dd0cda7554b140047f8adfbbc303dcefcc93ee68ebf3f3b22a488f85eea59e28120dd
+  data.tar.gz: 294fe014df4df6dd2800d7ddae0bdfcd4b944d0bb77753d77edc5cc04704bf4f7441d68d4f5e2978c2464c8eaf0739816ad405c093b8a17d905b7331f52efec9

data/lib/acme_nsupdate/cli.rb

@@ -12,7 +12,7 @@ module AcmeNsupdate
         o.string  "-t", "--ttl",       "The TTLs of the TXT and TLSA records created, separated by a comma. Defaults to 60,43200", default: "60,43200"
         o.bool    "-k", "--keep",      "Skip removing any kind of temporary data after successfully obtaining the certificate."
         o.string  "-K", "--tsig",      "TSIG key to use for DNS updates. Expected format is name:key."
-        o.string  "-e", "--endpoint",  "ACME API endpoint. Defaults to: https://acme-v01.api.letsencrypt.org", default: "https://acme-v01.api.letsencrypt.org"
+        o.string  "-e", "--endpoint",  "ACME API endpoint directory. Defaults to: https://acme-v02.api.letsencrypt.org/directory", default: "https://acme-v02.api.letsencrypt.org/directory"
         o.string  "-D", "--datadir",   "Base directory for certificates and account keys. Defaults to: /etc/letsencrypt", default: "/etc/letsencrypt"
         o.string  "-c", "--contact",   "Contact mail address."
         o.integer "-l", "--keylength", "Length of the generated RSA keys. Defaults to 2048.", default: 2048

data/lib/acme_nsupdate/client.rb

@@ -34,13 +34,13 @@ module AcmeNsupdate
       end
 
       register_account
-      challenges = @verification_strategy.verify_domains
+      order, challenges = @verification_strategy.verify_domains
       logger.info "Requesting certificate"
-      certificate = client.new_certificate csr
+      certificate = fetch_certificate order
       write_files live_path, certificate, private_key
       write_files archive_path, certificate, private_key
       @verification_strategy.cleanup challenges unless @options[:keep]
-      publish_tlsa_records certificate.x509
+      publish_tlsa_records certificate
     rescue Nsupdate::Error
       abort "nsupdate failed." # detail logged in Nsupdate
     end
@@ -49,12 +49,11 @@ module AcmeNsupdate
       return if account_key_path.exist?
 
       logger.debug "No key found at #{account_key_path}, registering"
-      registration = client.register contact: "mailto:#{@options[:contact]}"
-      registration.agree_terms
+      client.new_account contact: "mailto:#{@options[:contact]}", terms_of_service_agreed: true
     end
 
     def client
-      @client ||= Acme::Client.new(private_key: account_key, endpoint: @options[:endpoint]).tap do |client|
+      @client ||= Acme::Client.new(private_key: account_key, directory: @options[:endpoint]).tap do |client|
         client.connection.response :detailed_logger, @logger if @options[:verbose]
       end
     end
@@ -94,6 +93,16 @@ module AcmeNsupdate
       end
     end
 
+    def fetch_certificate order
+      order.finalize csr
+      while order.status == 'processing'
+        sleep 3
+        order.reload
+      end
+      raise "Failed to fetch certificate, order failed." unless order.status == 'valid'
+      order.certificate
+    end
+
     def csr
       logger.debug "Generating CSR"
       Acme::Client::CertificateRequest.new(names: @options[:domains], private_key: private_key)
@@ -123,17 +132,15 @@ module AcmeNsupdate
       logger.debug "Writing #{path.join("key.pem")}"
       path.join("privkey.pem").write key.to_pem
       path.join("privkey.pem").chmod(0600)
-      logger.debug "Writing #{path.join("cert.pem")}"
-      path.join("cert.pem").write certificate.to_pem
-      logger.debug "Writing #{path.join("chain.pem")}"
-      path.join("chain.pem").write certificate.chain_to_pem
       logger.debug "Writing #{path.join("fullchain.pem")}"
-      path.join("fullchain.pem").write certificate.fullchain_to_pem
+      path.join("fullchain.pem").write certificate
     end
 
-    def publish_tlsa_records certificate
+    def publish_tlsa_records certificate_pem
       return if @options[:notlsa]
 
+      certificate = OpenSSL::X509::Certificate.new certificate_pem
+
       logger.info "Publishing TLSA records"
       old_contents = outdated_certificates.map {|certificate|
         "3 1 1 #{OpenSSL::Digest::SHA256.hexdigest(certificate.public_key.to_der)}"
@@ -177,9 +184,9 @@ module AcmeNsupdate
       @outdated_certificates ||= datadir
         .join("archive")
         .children
-        .select {|dir| dir.join(domain, "cert.pem").exist? }
+        .select {|dir| dir.join(domain, "fullchain.pem").exist? }
         .sort_by(&:basename)
-        .map {|path| OpenSSL::X509::Certificate.new path.join(domain, "cert.pem").read }
+        .map {|path| OpenSSL::X509::Certificate.new path.join(domain, "fullchain.pem").read }
         .tap(&:pop) # keep current
         .tap(&:pop) # keep previous
     end

data/lib/acme_nsupdate/strategies/dns01.rb

@@ -13,8 +13,8 @@ module AcmeNsupdate
         @client = client
       end
 
-      def publish_challenges
-        challenges = map_authorizations {|domain, authorization|
+      def publish_challenges(order)
+        challenges = map_authorizations(order) {|domain, authorization|
           challenge = authorization.dns01
           abort "Challenge dns-01 not supported by the given ACME server" unless challenge
 

data/lib/acme_nsupdate/strategies/http01.rb

@@ -13,8 +13,8 @@ module AcmeNsupdate
         @client = client
       end
 
-      def publish_challenges
-        map_authorizations {|domain, authorization|
+      def publish_challenges(order)
+        map_authorizations(order) {|domain, authorization|
           challenge = authorization.http01
           abort "Challenge http-01 not supported by this ACME server" unless challenge
 

data/lib/acme_nsupdate/strategy.rb

@@ -16,39 +16,40 @@ module AcmeNsupdate
 
     def verify_domains
       @client.logger.info("Validating domains")
-      publish_challenges.tap do |challenges|
+      order = @client.client.new_order identifiers: @client.options[:domains]
+      challenges = publish_challenges(order).tap do |challenges|
         wait_for_verification challenges
       end
+      [order, challenges]
     end
 
 
     private
 
-    def map_authorizations
+    def map_authorizations(order)
       @client.logger.debug "Publishing challenges for #{@client.options[:domains].join(", ")}"
 
-      challenges = @client.options[:domains].map {|domain|
-        authorization = @client.client.authorize domain: domain
+      order.authorizations.map {|authorization|
         if authorization.status == "valid"
-          @client.logger.debug("Skipping challenge for #{domain}, already valid.")
+          @client.logger.debug("Skipping challenge for #{authorization.domain}, already valid.")
           next
         end
 
-        challenge = yield domain, authorization
+        challenge = yield authorization.domain, authorization
         unless challenge
-          @client.logger.debug("Skipping challenge for #{domain}, not solvable.")
+          @client.logger.debug("Skipping challenge for #{authorization.domain}, not solvable.")
           next
         end
 
-        [domain, challenge]
+        [authorization.domain, challenge]
       }.compact.to_h
     end
 
     def wait_for_verification challenges
       @client.logger.debug("Requesting verification")
-      challenges.each_value(&:request_verification)
+      challenges.each_value(&:request_validation)
       @client.logger.debug("Waiting for verification")
-      challenges.map {|_, challenge| Thread.new { sleep(5) while challenge.verify_status == "pending" } }.each(&:join)
+      challenges.map {|_, challenge| Thread.new { sleep(5) while challenge.status == "pending" } }.each(&:join)
       challenges.each do |domain, challenge|
         raise "Verification of #{domain} failed: #{challenge.error}" unless challenge.status == "valid"
       end

data/lib/acme_nsupdate/version.rb

@@ -1,3 +1,3 @@
 module AcmeNsupdate
-  VERSION = "0.3.2"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme_nsupdate
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - Jonne Haß
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-09 00:00:00.000000000 Z
+date: 2020-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: slop
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: faraday-detailed_logger
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -120,8 +120,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: ACME (Let's Encrypt) client with nsupdate (DDNS) integration.