acmesmith 0.11.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 9103307f7ec55de437d48f87b97234fde521c25378ccf0d874a4dafee084bfa4
-  data.tar.gz: 3068795e54de705a900c98520c2568416ac38e63038313cee67ba43c3a6665ce
+SHA1:
+  metadata.gz: b8046774804fb258740fcaaf2bbb19c823618082
+  data.tar.gz: 4b4c648818d71005f48d216aa12f63be9a292cfe
 SHA512:
-  metadata.gz: 8993dbe4814bf78af2cd5ecb03ca392fbbd1c00a8a770c596a917de37b5dca1e39568fb7b243b7223503c1378d9673f41ca91158a440fcb89f3eced562a2c6ca
-  data.tar.gz: aa3a6c64a357df063253b094f5ad85070932537e0baf8636f81d15530b080a2bd13885af4015e5e22d5f954a69f2d2143a49c631f2714bcc0ebdfd9dd03b86e8
+  metadata.gz: 8100bb4a174e42bce6e3a74d997c2cb59e40be2ebeb1c7dffb89b7e92ba408417dd57a2ed7f495d65e7ca24f027c4119deb38b627e0ecd337833c41946a57a4a
+  data.tar.gz: 589c69691b1e55f5e39af424232acedd918108aecb88e14e4e0d4f1c1fa6e85c6837ee0d36fd0821005de649a38f2d10322334d160d0832c963718bb06abe01a

data/CHANGELOG.md

@@ -0,0 +1,63 @@
+## v2.0.0 (2018-05-18)
+
+### Notable changes
+
+- Support ACME v2
+- Drop ACME v1 support
+- Challenge responder
+  - New `dns-01` challenge responder `manual_dns` is bundled for manual DNS intervention.
+  - New API to allow challenge responders to respond many challenges at once, for efficiency
+    - Added its support to `route53` responder 
+
+#### Compatibility note
+
+- `config['endpoint']` is removed. Use `config['directory']` to specify ACME v2 directory resource URL.
+- The deprecated `config['post_issueing_hook']` is removed as planned.
+
+### CLI
+
+#### Compatibility note
+
+- Renamed several subcommands due to the changes in ACME (v2) semantics.
+
+  - `acmesmith register` -> `acmesmith new-account`
+  - `acmesmith request` -> `acmesmith order`
+
+  The previous names remain working, but are now marked as deprecated. These will be removed in the future release.
+
+- Place warning for `acmesmith authorize` due to lack of implementation
+
+  (At this moment, LE doesn't provide new-authz API)
+
+### API and Internals
+
+(Interface of `Client` class is still in beta. It's designed to be an external API, but interface are still subject to change)
+
+#### Compatibility note
+
+- `config['endpoint']` is removed. Use `config['directory']` to specify ACME v2 directory resource URL.
+- Several renames due to the changes in ACME (v2) semantics.
+
+  - `Client#register` -> `new_account`
+  - `Client#request` -> `order`
+
+- Place warning for `Client#authorize` due to lack of implementation
+
+  (At this moment, LE doesn't provide new-authz API)
+
+- `Certificate#chain` now returns `Array<OpenSSL::X509::Certificate>`. Use `Certificate#chain_pems` to retrieve in `String`.
+
+  Note: Value for `:chain` key in a `Hash` returned by `Certificate#export` is kept `String` for Storages plugin compatibility.
+
+#### New Features
+
+- `ChallengeResponders::Base` now allows to respond many challenges at once.
+  - Added `#respond_all` and `#cleanup_all()` method to respond many challenges.
+  - Added `#cap_respond_all?` method to indicate a responder instance supports this capability or not.
+  - Base class now implements `respond`, `cleanup` for classes which implement only the new `*_all` method.
+
+
+
+## Prior versions
+
+See https://github.com/sorah/acmesmith/releases

data/README.md

@@ -1,4 +1,4 @@
-# Acmesmith: A simple, effective ACME client to use with many servers and a cloud
+# Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
 
@@ -6,20 +6,15 @@ This tool is written in Ruby, but Acmesmith saves certificates in simple scheme,
 
 ## Features
 
-- ACME client designed to work on multiple servers
+- ACME v2 client designed to work on multiple servers
 - ACME registration, domain authorization, certificate requests 
   - Tested against [Let's encrypt](https://letsencrypt.org)
 - Storing keys in several ways
 - Challenge response
 - Many cloud services support
-  - AWS S3 storage and Route53 `dns-01` responder support out-of-the-box
+  - AWS S3 storage and Route 53 `dns-01` responder support out-of-the-box
   - 3rd party plugins available for OpenStack designate, Google Cloud DNS, simple http-01, and Google Cloud Storage. See [Plugins](#3rd-party-plugins) below
 
-### Planned
-
-- Automated deployments support (post issurance hook)
-- Example shellscripts to fetch certificates
-
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -39,12 +34,11 @@ Or install it yourself as:
 ## Usage
 
 ```
-$ acmesmith register CONTACT              # Create account key (contact e.g. mailto:xxx@example.org)
+$ acmesmith new-account CONTACT              # Create account key (contact e.g. mailto:xxx@example.org)
 ```
 
 ```
-$ acmesmith authorize DOMAIN              # Get authz for DOMAIN.
-$ acmesmith request COMMON_NAME [SAN]     # request certificate for CN +COMMON_NAME+ with SANs +SAN+
+$ acmesmith order COMMON_NAME [SAN]     # request certificate for CN +COMMON_NAME+ with SANs +SAN+
 $ acmesmith add-san COMMON_NAME [SAN]     # re-request existing certificate of CN with additional SAN(s)
 ```
 
@@ -77,8 +71,8 @@ See `acmesmith help [subcommand]` for more help.
 See [config.sample.yml](./config.sample.yml) to start. Default configuration file is `./acmesmith.yml`.
 
 ``` yaml
-endpoint: https://acme-staging.api.letsencrypt.org/
-# endpoint: https://acme-v01.api.letsencrypt.org/ # productilon
+directory: https://acme-staging-v02.api.letsencrypt.org/
+# directory: https://acme-v02.api.letsencrypt.org/ # productilon
 
 storage:
   # configure where to store keys and certificates; described later

data/acmesmith.gemspec

@@ -21,7 +21,7 @@ Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://gi
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "acme-client", '~> 1'
+  spec.add_dependency "acme-client", '~> 2'
   spec.add_dependency "aws-sdk-acm"
   spec.add_dependency "aws-sdk-route53"
   spec.add_dependency "aws-sdk-s3"

data/config.sample.yml

@@ -1,5 +1,6 @@
-endpoint: https://acme-staging.api.letsencrypt.org/
-# endpoint: https://acme-v01.api.letsencrypt.org/
+directory: https://acme-staging-v02.api.letsencrypt.org/directory
+# directory: https://acme-v02.api.letsencrypt.org/directory
+
 storage:
   type: s3
   region: 'ap-northeast-1'

data/lib/acmesmith/certificate.rb

@@ -4,8 +4,13 @@ module Acmesmith
   class Certificate
     class PassphraseRequired < StandardError; end
 
-    def self.from_acme_client_certificate(c)
-      new c.x509, c.chain_to_pem, c.request.private_key, nil, c.request.csr
+    def self.split_pems(pems)
+      pems.each_line.slice_before(/^-----BEGIN CERTIFICATE-----$/).map(&:join)
+    end
+
+    def self.by_issuance(pem_chain, csr)
+      pems = split_pems(pem_chain)
+      new(*pems, csr.private_key, nil, csr)
     end
 
     def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
@@ -17,14 +22,27 @@ module Acmesmith
                      else
                         raise TypeError, 'certificate is expected to be a String or OpenSSL::X509::Certificate'
                      end
-      @chain = case chain
-               when String
-                 chain
-               when nil
-                 chain
-               else
-                 raise TypeError, 'chain is expected to be a String'
-               end
+      chain = case chain
+              when String
+                self.class.split_pems(chain)
+              when Array
+                chain
+              when nil
+                []
+              else
+                raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
+              end
+
+      @chain = chain.map { |cert|
+        case cert
+        when OpenSSL::X509::Certificate
+          cert
+        when String
+          OpenSSL::X509::Certificate.new(cert)
+        else
+          raise TypeError, 'chain is expected to be an Array<String or OpenSSL::X509::Certificate> or nil'
+        end
+      }
 
       case private_key
       when String
@@ -71,7 +89,11 @@ module Acmesmith
     end
 
     def fullchain
-      "#{certificate.to_pem}\n#{chain}".gsub(/\n+/,?\n)
+      "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)
+    end
+
+    def issuer_pems
+      chain.map(&:to_pem).join("\n")
     end
 
     def common_name
@@ -91,8 +113,9 @@ module Acmesmith
     def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
       {}.tap do |h|
         h[:certificate] = certificate.to_pem
-        h[:chain] = chain
+        h[:chain] = issuer_pems
         h[:fullchain] = fullchain
+
         h[:private_key] = if passphrase
           private_key.export(cipher, passphrase)
         else

data/lib/acmesmith/challenge_responders/base.rb

@@ -1,19 +1,57 @@
 module Acmesmith
   module ChallengeResponders
     class Base
+      # Return supported challenge types
       def support?(type)
         raise NotImplementedError
       end
 
+      # Return 'true' if implements respond_all method.
+      def cap_respond_all?
+        false
+      end
+
       def initialize()
       end
 
-      def respond(challenge)
-        raise NotImplementedError
+      # Respond to the given challenges (1 or more).
+      def respond_all(*domain_and_challenges)
+        if cap_respond_all?
+          raise NotImplementedError
+        else
+          domain_and_challenges.each do |dc|
+            respond(*dc)
+          end
+        end
       end
 
-      def cleanup(challenge)
-        raise NotImplementedError
+      # Clean up responses for the given challenges (1 or more).
+      def cleanup_all(*domain_and_challenges)
+        if cap_respond_all?
+          raise NotImplementedError
+        else
+          domain_and_challenges.each do |dc|
+            cleanup(*dc)
+          end
+        end
+      end
+
+      # If cap_respond_all? is true, you don't need to implement this method.
+      def respond(domain, challenge)
+        if cap_respond_all?
+          respond_all([domain, challenge])
+        else
+          raise NotImplementedError
+        end
+      end
+
+      # If cap_respond_all? is true, you don't need to implement this method.
+      def cleanup(domain, challenge)
+        if cap_respond_all?
+          cleanup_all([domain, challenge])
+        else
+          raise NotImplementedError
+        end
       end
     end
   end

data/lib/acmesmith/challenge_responders/manual_dns.rb

@@ -0,0 +1,45 @@
+require 'acmesmith/challenge_responders/base'
+
+module Acmesmith
+  module ChallengeResponders
+    class ManualDns < Base
+      class HostedZoneNotFound < StandardError; end
+      class AmbiguousHostedZones < StandardError; end
+
+      def support?(type)
+        # Acme::Client::Resources::Challenges::DNS01
+        type == 'dns-01'
+      end
+
+      def initialize(options={})
+      end
+
+      def respond(domain, challenge)
+        puts "=> Responding challenge dns-01 for #{domain}"
+        puts
+
+        domain = canonical_fqdn(domain)
+        record_name = "#{challenge.record_name}.#{domain}"
+        record_type = challenge.record_type
+        record_content = "\"#{challenge.record_content}\""
+
+        puts "#{record_name}. 5 IN #{record_type} #{record_content}"
+
+        puts "(Hit enter when DNS record get ready)"
+        $stdin.gets
+      end
+
+      def cleanup(domain, challenge)
+        domain = canonical_fqdn(domain)
+        record_name = "#{challenge.record_name}.#{domain}"
+        puts "=> It's now okay to delete DNS record for #{record_name}"
+      end
+
+      private
+
+      def canonical_fqdn(domain)
+        "#{domain}.".sub(/\.+$/, '')
+      end
+    end
+  end
+end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -13,6 +13,10 @@ module Acmesmith
         type == 'dns-01'
       end
 
+      def cap_respond_all?
+        true
+      end
+
       def initialize(aws_access_key: nil, hosted_zone_map: {})
         @route53 = Aws::Route53::Client.new({region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
@@ -21,84 +25,102 @@ module Acmesmith
         @hosted_zone_cache = {}
       end
 
-      def respond(domain, challenge)
-        puts "=> Responding challenge dns-01 for #{domain} in #{self.class.name}"
+      def respond_all(*domain_and_challenges)
+        challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
-        domain = canonical_fqdn(domain)
-        record_name = "#{challenge.record_name}.#{domain}"
-        record_type = challenge.record_type
-        record_content = "\"#{challenge.record_content}\""
-        zone_id = find_hosted_zone(domain)
-
-        puts " * UPSERT: #{record_type} #{record_name.inspect}, #{record_content.inspect} on #{zone_id}"
-        change_resp =  @route53.change_resource_record_sets(
-          hosted_zone_id: zone_id, # required
-          change_batch: { # required
-            comment: "ACME challenge response",
-            changes: [
-              {
-                action: "UPSERT",
-                resource_record_set: { # required
-                  name: record_name,  # required
-                  type: record_type,
-                  ttl: 5,
-                  resource_records: [
-                    value: record_content
-                  ],
-                },
-              },
-            ],
-          },
-        )
-
-        change_id = change_resp.change_info.id
-        puts " * requested change: #{change_id}"
-
-        puts "=> Waiting for change"
-        while (resp = @route53.get_change(id: change_id)).change_info.status != 'INSYNC'
-          puts " * change #{change_id.inspect} is still #{resp.change_info.status.inspect} ..."
-          sleep 5
+        zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
+          [zone_id, change_batch_for_challenges(dcs, action: 'UPSERT')]
         end
 
-        puts " * synced!"
+        change_ids = request_changing_rrset(zone_and_batches, comment: 'for challenge response')
+        wait_for_sync(change_ids)
       end
 
-      def cleanup(domain, challenge)
-        puts "=> Cleaning up challenge dns-01 for #{domain} in #{self.class.name}"
+      def cleanup_all(*domain_and_challenges)
+        challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
-        domain = canonical_fqdn(domain)
-        record_name = "#{challenge.record_name}.#{domain}"
-        record_type = challenge.record_type
-        record_content = "\"#{challenge.record_content}\""
-        zone_id = find_hosted_zone(domain)
-
-        puts " * DELETE: #{record_type} #{record_name.inspect}, #{record_content.inspect} on #{zone_id}"
-        change_resp =  @route53.change_resource_record_sets(
-          hosted_zone_id: zone_id, # required
-          change_batch: { # required
-            comment: "ACME challenge response: cleanup",
-            changes: [
-              {
-                action: "DELETE", # required, accepts CREATE, DELETE, UPSERT
-                resource_record_set: { # required
-                  name: record_name,  # required
-                  type: record_type,
-                  ttl: 5,
-                  resource_records: [
-                    value: record_content
-                  ],
-                },
-              },
-            ],
-          },
-        )
-
-        change_id = change_resp.change_info.id
-        puts " * requested: #{change_id}"
+        zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
+          [zone_id, change_batch_for_challenges(dcs, action: 'DELETE', comment: '(cleanup)')]
+        end
+
+        request_changing_rrset(zone_and_batches, comment: 'to remove challenge responses')
       end
 
       private
 
+      def request_changing_rrset(zone_and_batches, comment: nil)
+        puts "=> Requesting RRSet change #{comment}"
+        puts
+        change_ids = zone_and_batches.map do |(zone_id, change_batch)|
+          puts " * #{zone_id}:"
+          change_batch.fetch(:changes).each do |b|
+            rrset = b.fetch(:resource_record_set)
+            puts "   - #{b.fetch(:action)}: #{rrset.fetch(:name)} #{rrset.fetch(:ttl)} #{rrset.fetch(:type)} #{rrset.dig(:resource_records, 0, :value)}"
+          end
+          print "   ... "
+
+          resp =  @route53.change_resource_record_sets(
+            hosted_zone_id: zone_id, # required
+            change_batch: change_batch,
+          )
+          change_id = resp.change_info.id
+
+          puts "[ ok ] #{change_id}"
+          puts
+          change_id
+        end
+
+        change_ids
+      end
+
+
+      def wait_for_sync(change_ids)
+        puts "=> Waiting for change to be in sync"
+        puts
+
+        all_sync = false
+        until all_sync
+          sleep 4
+
+          all_sync = true
+          change_ids.each do |id|
+            change = @route53.get_change(id: id)
+
+            sync = change.change_info.status == 'INSYNC'
+            all_sync = false unless sync
+
+            puts " * #{id}: #{change.change_info.status}"
+            sleep 0.2
+          end
+        end
+        puts
+
+      end
+
+      def change_batch_for_challenges(domain_and_challenges, comment: nil, action: 'UPSERT')
+        {
+          comment: "ACME challenge response #{comment}",
+          changes: domain_and_challenges.map do |d,c|
+            {
+              action: action,
+              resource_record_set: rrset_for_challenge(d,c),
+            }
+          end,
+        }
+      end
+
+      def rrset_for_challenge(domain, challenge)
+        domain = canonical_fqdn(domain)
+        {
+          name: "#{challenge.record_name}.#{domain}",
+          type: challenge.record_type,
+          ttl: 5,
+          resource_records: [
+            value: "\"#{challenge.record_content}\"",
+          ],
+        }
+      end
+
       def canonical_fqdn(domain)
         "#{domain}.".sub(/\.+$/, '')
       end

data/lib/acmesmith/client.rb

@@ -1,7 +1,7 @@
 require 'acmesmith/account_key'
-require 'acmesmith/acme_client'
 require 'acmesmith/certificate'
 require 'acmesmith/save_certificate_service'
+require 'acme-client'
 
 module Acmesmith
   class Client
@@ -9,100 +9,57 @@ module Acmesmith
       @config ||= config
     end
 
-    def register(contact)
+    def new_account(contact, tos_agreed: true)
       key = AccountKey.generate
-      acme = AcmeClient.new(key, config['endpoint'])
-      registration = acme.register(contact)
-      registration.agree_terms
+      acme = Acme::Client.new(private_key: key.private_key, directory: config.fetch('directory'))
+      client = acme.new_account(contact: contact, terms_of_service_agreed: tos_agreed)
 
       storage.put_account_key(key, account_key_passphrase)
 
       key
     end
 
-    def authorize(*domains)
-      targets = domains.map do |domain|
-        authz = acme.authorize(domain)
-        challenges = [authz.http01, authz.dns01, authz.tls_sni01].compact
-        challenge = nil
-        responder = config.challenge_responders.find do |x|
-          challenge = challenges.find { |_| x.support?(_.class::CHALLENGE_TYPE) }
-        end
-        {domain: domain, authz: authz, responder: responder, challenge: challenge}
+    def order(*identifiers, not_before: nil, not_after: nil)
+      puts "=> Ordering a certificate for the following identifiers:"
+      puts
+      identifiers.each do |id|
+        puts " * #{id}"
       end
-
-      begin
-        targets.each do |target|
-          target[:responder].respond(target[:domain], target[:challenge])
+      puts
+      puts "=> Generating CSR"
+      csr = Acme::Client::CertificateRequest.new(subject: { common_name: identifiers.first }, names: identifiers[1..-1])
+      puts "=> Placing an order"
+      order = acme.new_order(identifiers: identifiers, not_before: not_before, not_after: not_after)
+
+      unless order.authorizations.empty? || order.status == 'ready'
+        puts "=> Looking for required domain authorizations"
+        puts
+        order.authorizations.map(&:domain).each do |domain|
+          puts " * #{domain}"
         end
+        puts
 
-        targets.each do |target|
-          puts "=> Requesting verifications..."
-          acme.request_verification(target[:challenge])
-        end
-          loop do
-            all_valid = true
-            targets.each do |target|
-              next if target[:valid]
-
-              status = acme.verify_status(target[:challenge])
-              puts " * [#{target[:domain]}] verify_status: #{status}"
-
-              if status == 'valid'
-                target[:valid] = true
-                next
-              end
-
-              all_valid = false
-              if status == "invalid"
-                err = target[:challenge].error
-                puts " ! [#{target[:domain]}] #{err["type"]}: #{err["detail"]}"
-              end
-            end
-            break if all_valid
-            sleep 3
-          end
-          puts "=> Done"
-      ensure
-        targets.each do |target|
-          target[:responder].cleanup(target[:domain], target[:challenge])
-        end
+        process_authorizations(order.authorizations)
       end
-    end
 
-    def request(common_name, *sans)
-      csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: sans)
-      retried = false
-      acme_cert = begin
-        acme.new_certificate(csr)
-      rescue Acme::Client::Error::Unauthorized => e
-        raise unless config.auto_authorize_on_request
-        raise if retried
-
-        puts "=> Authorizing unauthorized domain names"
-        # https://github.com/letsencrypt/boulder/blob/b9369a481415b3fe31e010b34e2ff570b89e42aa/ra/ra.go#L604
-        m = e.message.match(/authorizations for these names not found or expired: ((?:[a-zA-Z0-9_.\-]+(?:,\s+|$))+)/)
-        if m && m[1]
-          domains = m[1].split(/,\s+/)
-        else
-          warn " ! Error message on certificate request was #{e.message.inspect} and acmesmith couldn't determine which domain names are unauthorized (maybe a bug)"
-          warn " ! Attempting to authorize all domains in this certificate reuqest for now."
-          domains = [common_name, *sans]
-        end
-        puts " * #{domains.join(', ')}"
-        authorize(*domains)
-        retried = true
-        retry
-      end
+      cert = process_order_finalization(order, csr)
 
-      cert = Certificate.from_acme_client_certificate(acme_cert)
+      puts "=> Certificate issued"
+      puts
+      print " * securing into the storage ..."
       storage.put_certificate(cert, certificate_key_passphrase)
+      puts " [ ok ]"
+      puts
 
       execute_post_issue_hooks(cert)
 
       cert
     end
 
+    def authorize(*identifiers)
+      raise NotImplementedError, "Domain authorization in advance is still not available in acme-client (v2). Required authorizations will be performed when ordering certificates"
+    end
+
     def post_issue_hooks(common_name)
       cert = storage.get_certificate(common_name)
       execute_post_issue_hooks(cert)
@@ -110,9 +67,12 @@ module Acmesmith
 
     def execute_post_issue_hooks(certificate)
       hooks = config.post_issuing_hooks(certificate.common_name)
+      return if hooks.empty?
+      puts "=> Executing post issuing hooks for CN=#{certificate.common_name}"
       hooks.each do |hook|
         hook.run(certificate: certificate)
       end
+      puts
     end
 
     def certificate_versions(common_name)
@@ -201,7 +161,7 @@ module Acmesmith
         puts "   Not valid after: #{not_after}"
         next unless (cert.certificate.not_after.utc - Time.now.utc) < (days.to_i * 86400)
         puts " * Renewing: CN=#{cert.common_name}, SANs=#{cert.sans.join(',')}"
-        request(cert.common_name, *cert.sans)
+        order(cert.common_name, *cert.sans)
       end
     end
 
@@ -210,11 +170,113 @@ module Acmesmith
       cert = storage.get_certificate(common_name)
       sans = cert.sans + add_sans
       puts " * SANs will be: #{sans.join(?,)}"
-      request(cert.common_name, *sans)
+      order(cert.common_name, *sans)
     end
 
     private
 
+    def process_order_finalization(order, csr)
+      puts "=> Finalizing the order"
+      puts
+
+      print " * Requesting..."
+      order.finalize(csr: csr)
+      puts" [ ok ]"
+
+      while %w(ready processing).include?(order.status)
+        order.reload()
+        puts " * Waiting for procession: status=#{order.status}"
+        sleep 2
+      end
+      puts
+
+      Certificate.by_issuance(order.certificate, csr)
+    end
+
+    def process_authorizations(authzs)
+      return if authzs.empty?
+
+      targets = authzs.map do |authz|
+        challenges = authz.challenges
+        challenge = nil
+        responder = config.challenge_responders.find do |x|
+          challenge = challenges.find { |_| x.support?(_.challenge_type) }
+        end
+        {domain: authz.domain, authz: authz, responder: responder, responder_id: responder.__id__, challenge: challenge}
+      end
+      target_by_responders = targets.group_by{ |_| _.fetch(:responder_id) }.map { |_, ts| [ts[0].fetch(:responder), ts] }
+
+      begin
+        target_by_responders.each do |responder, ts|
+          puts "=> Responsing to the challenges for the following identifier:"
+          puts
+          puts " * Responder:   #{responder.class}"
+          puts " * Identifiers:"
+          ts.each do |target|
+            puts "     - #{target.fetch(:domain)} (#{target.fetch(:challenge).challenge_type})"
+          end
+          puts
+
+          responder.respond_all(*ts.map{ |t| [t.fetch(:domain), t.fetch(:challenge)] })
+        end
+
+        puts "=> Requesting validations..."
+        puts
+        targets.each do |target|
+          print " * #{target[:domain]} (#{target[:challenge].challenge_type}) ..."
+          target[:challenge].request_validation()
+          puts " [ ok ]"
+        end
+        puts
+
+        puts "=> Waiting for the validation..."
+        puts
+
+        loop do
+          all_valid = true
+          any_error = false
+          targets.each do |target|
+            next if target[:valid]
+
+            target[:challenge].reload
+            status = target[:challenge].status
+
+            puts " * [#{target[:domain]}] status: #{status}"
+
+            if status == 'valid'
+              target[:valid] = true
+              next
+            end
+
+            all_valid = false
+            if status == 'invalid'
+              any_error = true
+              err = target[:challenge].error
+              puts " ! [#{target[:domain]}] error: #{err.inspect}"
+            end
+          end
+          break if all_valid || any_error
+          sleep 3
+        end
+        puts
+
+        target_by_responders.each do |responder, ts|
+          puts "=> Cleaning the responses the challenges for the following identifier:"
+          puts
+          puts " * Responder:   #{responder.class}"
+          puts " * Identifiers:"
+          ts.each do |target|
+            puts "     - #{target.fetch(:domain)} (#{target.fetch(:challenge).challenge_type})"
+          end
+          puts
+
+          responder.cleanup_all(*ts.map{ |t| [t.fetch(:domain), t.fetch(:challenge)] })
+        end
+
+        puts "=> Authorized!"
+      end
+    end
+
     def config
       @config
     end
@@ -230,7 +292,7 @@ module Acmesmith
     end
 
     def acme
-      @acme ||= AcmeClient.new(account_key, config['endpoint'])
+      @acme ||= Acme::Client.new(private_key: account_key.private_key, directory: config.fetch('directory'))
     end
 
     def certificate_key_passphrase

data/lib/acmesmith/command.rb

@@ -8,22 +8,36 @@ module Acmesmith
     class_option :config, default: './acmesmith.yml', aliases: %w(-c)
     class_option :passphrase_from_env,  type: :boolean, aliases: %w(-E), default: nil, desc: 'Read $ACMESMITH_ACCOUNT_KEY_PASSPHRASE and $ACMESMITH_CERTIFICATE_KEY_PASSPHRASE for passphrases'
 
-    desc "register CONTACT", "Create account key (contact e.g. mailto:xxx@example.org)"
-    def register(contact)
-      key = client.register(contact)
-      puts "Generated:\n#{key.private_key.public_key.to_pem}"
+    desc "new-account CONTACT", "Create account key (contact e.g. mailto:xxx@example.org)"
+    def new_account(contact)
+      puts "=> Creating an account ..."
+      key = client.new_account(contact)
+      puts "=> Public Key:"
+      puts "\n#{key.private_key.public_key.to_pem}"
     end
 
-    desc "authorize DOMAIN [DOMAIN ...]", "Get authz for DOMAIN."
+    desc "authorize DOMAIN [DOMAIN ...]", "(Implementation disabled for v2) Get authz for DOMAIN."
     def authorize(*domains)
-      client.authorize(*domains)
+      warn "! WARNING: 'acmesmith authorize' is not available"
+      warn "!"
+      warn "! TL;DR: Go ahead; Just run 'acmesmith order'."
+      warn "!"
+      warn "! Pre-authorization have not implemented yet in acme-client.gem (v2) library."
+      warn "! But, required domain authorizations will be performed automatically when ordering a certificate."
+      warn "!"
+      warn "! Pro Tips: Let's encrypt doesn't provide pre-authorization as of May 18, 2018."
+      warn "!"
+      # client.authorize(*domains)
     end
 
-    desc "request COMMON_NAME [SAN]", "request certificate for CN +COMMON_NAME+ with SANs +SAN+"
-    def request(common_name, *sans)
-      cert = client.request(common_name, *sans)
-      puts cert.certificate.to_text
-      puts cert.certificate.to_pem
+    desc "order COMMON_NAME [SAN]", "order certificate for CN +COMMON_NAME+ with SANs +SAN+"
+    method_option :show_certificate, type: :boolean, aliases: %w(-s), default: true, desc: 'show an issued certificate in PEM and text when exiting'
+    def order(common_name, *sans)
+      cert = client.order(common_name, *sans)
+      if options[:show_certificate]
+        puts cert.certificate.to_text
+        puts cert.certificate.to_pem
+      end
     end
 
     desc "post-issue-hooks COMMON_NAME", "Run all post-issuing hooks for common name. (for testing purpose)"
@@ -131,6 +145,29 @@ module Acmesmith
       client.add_san(common_name, *add_sans)
     end
 
+    desc "register CONTACT", "(deprecated, use 'acmesmith new-account')"
+    def register(contact)
+      warn "!"
+      warn "! DEPRECATION WARNING: Use 'acmesmith new-account' command"
+      warn "! There is no user-facing breaking changes. It takes the same arguments with 'acmesmith register'."
+      warn "!"
+      warn "! This is due to change in semantics of ACME v2. ACME v2 defines 'new-account' instead of 'register' in v1."
+      warn "!"
+      new_account(contact)
+    end
+
+    desc "request COMMON_NAME [SAN]", "(deprecated, use 'acmesmith order')"
+    method_option :show_certificate, type: :boolean, aliases: %w(-s), default: true, desc: 'show an issued certificate in PEM and text when exiting'
+    def request(common_name, *sans)
+      warn "!"
+      warn "! DEPRECATION WARNING: Use 'acmesmith order' command"
+      warn "! There is no user-facing breaking changes. It takes the same arguments with 'acmesmith request'."
+      warn "!"
+      warn "! This is due to change in semantics of ACME v2. ACME v2 defines 'order' instead of 'request' in v1."
+      warn "!"
+      order(common_name, *sans)
+    end
+
     private
 
     def client

data/lib/acmesmith/config.rb

@@ -19,13 +19,12 @@ module Acmesmith
         raise ArgumentError, "config['storage'] must be provided"
       end
 
-      unless @config['endpoint']
-        raise ArgumentError, "config['endpoint'] must be provided, e.g. https://acme-v01.api.letsencrypt.org/ or https://acme-staging.api.letsencrypt.org/"
+      if @config['endpoint'] and !@config['directory']
+        raise ArgumentError, "config['directory'] must be provided, e.g. https://acme-v02.api.letsencrypt.org/directory or https://acme-staging-v02.api.letsencrypt.org/directory\n\nNOTE: We have dropped ACME v1 support since acmesmith v2.0.0. Specify v2 directory API URL using config['directory']."
       end
 
-      if @config['post_issueing_hooks']
-        warn '!! Deprecation warning: configuration "post_issueing_hooks" is now "post_issuing_hooks" (what a typo!). It will not work in the future release.'
-        @config['post_issuing_hooks'] = @config.delete('post_issueing_hooks')
+      unless @config['directory']
+        raise ArgumentError, "config['directory'] must be provided, e.g. https://acme-v02.api.letsencrypt.org/directory or https://acme-staging-v02.api.letsencrypt.org/directory"
       end
     end
 
@@ -33,6 +32,10 @@ module Acmesmith
       @config[key]
     end
 
+    def fetch(*args)
+      @config.fetch(*args)
+    end
+
     def merge!(pair)
       @config.merge!(pair)
     end

data/lib/acmesmith/post_issuing_hooks.rb

@@ -1,26 +1,9 @@
 require 'acmesmith/utils/finder'
 
 module Acmesmith
-  module PostIssueingHooks
-    def self.find(name)
-      warn "!! DEPRECATION WARNING: PostIssueingHooks.find is deprecated, use PostIssuingHooks.find (#{caller[0]})"
-      return Utils::Finder.find(self, 'acmesmith/post_issueing_hooks', name)
-    end
-  end
-
   module PostIssuingHooks
     def self.find(name)
-      begin 
-        return Utils::Finder.find(self, 'acmesmith/post_issuing_hooks', name)
-      rescue Utils::Finder::NotFound => e
-        begin
-          klass = Utils::Finder.find(PostIssueingHooks, 'acmesmith/post_issueing_hooks', name)
-          warn "!! DEPRECATION WARNING (#{klass}): Placing in acmesmith/post_issueing_hooks/... is deprecated. Move to acmesmith/post_issuing_hooks/..."
-          return klass
-        rescue Utils::Finder::NotFound
-          raise e
-        end
-      end
+      Utils::Finder.find(self, 'acmesmith/post_issuing_hooks', name)
     end
   end
 end

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "0.11.1"
+  VERSION = "2.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 0.11.1
+  version: 2.0.0
 platform: ruby
 authors:
 - sorah (Shota Fukumori)
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-15 00:00:00.000000000 Z
+date: 2018-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-acm
   requirement: !ruby/object:Gem::Requirement
@@ -138,6 +138,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -148,10 +149,10 @@ files:
 - docs/vendor/aws.md
 - lib/acmesmith.rb
 - lib/acmesmith/account_key.rb
-- lib/acmesmith/acme_client.rb
 - lib/acmesmith/certificate.rb
 - lib/acmesmith/challenge_responders.rb
 - lib/acmesmith/challenge_responders/base.rb
+- lib/acmesmith/challenge_responders/manual_dns.rb
 - lib/acmesmith/challenge_responders/route53.rb
 - lib/acmesmith/client.rb
 - lib/acmesmith/command.rb
@@ -191,7 +192,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server

data/lib/acmesmith/acme_client.rb

@@ -1,64 +0,0 @@
-require 'acme-client'
-
-module Acmesmith
-  class AcmeClient
-    # @param account_key [Acmesmith::AccountKey]
-    # @param endpoint [String]
-    def initialize(account_key, endpoint)
-      @acme = Acme::Client.new(private_key: account_key.private_key, endpoint: endpoint)
-    end
-
-    # @param contact [String]
-    def register(contact)
-      retry_once_on_bad_nonce do
-        @acme.register(contact: contact)
-      end
-    end
-
-    # @param domain [String]
-    def authorize(domain)
-      retry_once_on_bad_nonce do
-        @acme.authorize(domain: domain)
-      end
-    end
-
-    # @param csr [Acme::Client::CertificateRequest]
-    def new_certificate(csr)
-      retry_once_on_bad_nonce do
-        @acme.new_certificate(csr)
-      end
-    end
-
-    # @param challenge [Acme::Client::Resources::Challenges::Base]
-    def request_verification(challenge)
-      retry_once_on_bad_nonce do
-        challenge.request_verification
-      end
-    end
-
-    # @param challenge [Acme::Client::Resources::Challenges::Base]
-    def verify_status(challenge)
-      retry_once_on_bad_nonce do
-        challenge.verify_status
-      end
-    end
-
-    private
-
-    def retry_once_on_bad_nonce(&block)
-      retried = false
-      begin
-        block.call
-      rescue Acme::Client::Error::BadNonce => e
-        # Let's Encrypt returns badNonce error when the client sends too-old
-        # nonce. So retry the request once.
-        if retried
-          raise e
-        else
-          retried = true
-          retry
-        end
-      end
-    end
-  end
-end