acmesmith 2.3.1 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c2ccb5560fae2d63385e8460268f5c1fa4ca9e7fa96abb34874fbc2225c4f85
-  data.tar.gz: 58f74cdbdbb476db11fe8bdde5f6cd8b60e6f05845c47f6293147fb644e29b3c
+  metadata.gz: 18161ba6306c7d98accbbdfdec37599c67c8ba6e3d84a75e2ce52dc7cf2561b6
+  data.tar.gz: 4fdb29425b0e3a9c998bd86ad755c46dd01244936d718531309ebac17d57e4bb
 SHA512:
-  metadata.gz: 49099fbee8ea178501cd45fd468c5554c3dfc938ff9d86ff1a5dcbbe3e8385444486ca46bffdadea7f1f70f89e7d5df69ef4191bbd6f6de4de2c94d9ec73c8cf
-  data.tar.gz: f841483c5c224e73a6e6b95ca7317dc481642b7786899ad15c31c2c97dfae649fc1cf0133ea7ac3afe8b002d10230c73235c77d90eca85c2103789fc5aed3e7d
+  metadata.gz: 292b84e68ccaa7e7e3f946cdd7e3caaf281155085cd1813e2e4903f8a9737c67b35e8dd8b46ba95fa023865b6e329cd3be923da54a48f6220148d0cfa086e719
+  data.tar.gz: 8c25c548b5c4dcc11afe50279773f9991f22f750b2ea23fbe7be5f38f8e7ece8d04dec7c2705d11c7ecaebdad7669c77fe1af9178f4bfda2d55f8ca4197167c6

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+ko_fi: sorah
+github: [sorah]

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 30
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: rotten
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/.github/workflows/build.yml

@@ -18,9 +18,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['2.7', '3.0', '3.1']
     container:
-      image: sorah/ruby:${{ matrix.ruby-version }}-dev
+      image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
     steps:
 
       - name: Cache bundled gems
@@ -40,7 +40,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['2.7', '3.0', '3.1']
 
         # FIXME: once GitHub Actions gains support of adding command line arguments to container
       #    services:
@@ -72,7 +72,7 @@ jobs:
 
       - run: 'docker run -d --net=host --rm letsencrypt/pebble pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053'
       - run: 'docker run -d --net=host --rm letsencrypt/pebble-challtestsrv pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
-      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
+      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle public.ecr.aws/sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
 
   docker-build:
     name: docker-build

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## v2.5.0 (2020-10-09)
+
+### Enhancement
+
+- Gains `chain_preferences` configuration to choose alternate chain. [#47](https://github.com/sorah/acmesmith/pull/47)
+- route53: Gains `substitution_map` to allow delegation of `_acme-challenge` via predefined CNAME record. [#53](https://github.com/sorah/acmesmith/pull/53)
+- s3: Gains `endpoint` option. [#52](https://github.com/sorah/acmesmith/pull/52)
+
+## v2.4.0 (2020-12-03)
+
+### Enhancement
+
+- route53: Gains `restore_to_original_records` option. When enabled, existing record will be restored after authorizing domain names. Useful when other ACME tools or providers using ACME where requires a certain record to remain as long as possible for their renewal process (e.g. Fastly TLS).
+
 ## v2.3.1 (2020-05-12)
 
 ### Fixes

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.3.1)
-      acme-client (~> 2)
+    acmesmith (2.5.0)
+      acme-client (>= 2.0.7, < 3)
       aws-sdk-acm
       aws-sdk-route53
       aws-sdk-s3
@@ -11,53 +11,59 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.6)
-      faraday (>= 0.17, < 2.0.0)
-    aws-eventstream (1.1.0)
-    aws-partitions (1.312.0)
-    aws-sdk-acm (1.30.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    acme-client (2.0.11)
+      faraday (>= 1.0, < 3.0.0)
+      faraday-retry (~> 1.0)
+    aws-eventstream (1.2.0)
+    aws-partitions (1.644.0)
+    aws-sdk-acm (1.52.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.95.0)
+    aws-sdk-core (3.159.0)
       aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
+      aws-partitions (~> 1, >= 1.525.0)
       aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-kms (1.31.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-kms (1.58.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.34.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-route53 (1.65.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.64.0)
-      aws-sdk-core (~> 3, >= 3.83.0)
+    aws-sdk-s3 (1.114.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.3)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-    diff-lcs (1.3)
-    faraday (1.0.1)
-      multipart-post (>= 1.2, < 3)
-    jmespath (1.4.0)
-    mini_portile2 (2.4.0)
-    multipart-post (2.1.1)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    rake (13.0.1)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+      aws-sigv4 (~> 1.4)
+    aws-sigv4 (1.5.2)
+      aws-eventstream (~> 1, >= 1.0.2)
+    diff-lcs (1.4.4)
+    faraday (2.6.0)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.1)
+    faraday-retry (1.0.3)
+    jmespath (1.6.1)
+    mini_portile2 (2.8.0)
+    nokogiri (1.13.3)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    racc (1.6.0)
+    rake (13.0.6)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
-    thor (1.0.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    ruby2_keywords (0.0.5)
+    thor (1.2.1)
 
 PLATFORMS
   ruby

data/README.md

@@ -1,6 +1,7 @@
 # Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
-![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)
+![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)  <a href='https://ko-fi.com/J3J8CKMUU' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi3.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+
 
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
 
@@ -151,6 +152,30 @@ are configurable per certificate's common-name.
 - Shell script: [shell](./docs/post_issuing_hooks/shell.md)
 - Amazon Certificate Manager (ACM): [acm](./docs/post_issuing_hooks/acm.md)
 
+### Chain preference
+
+If you want to prefer an alternative chain given by CA ([RFC8555 Section 7.4.2.](https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2)), use the following configuration. Preference may be delcared with common name.
+
+When chain preferences are configured for the common name of an ordered certificate, Acmesmith will retrieve all available alternative chains and evaluate rules in an configured order. The first chain matched to a rule will be used and saved to a storage.
+
+During rule evaluation, a root issuer name and key id are taken from the last available intermediate (Issuer and AKI) provided in a chain, when a chain doesn't have a root certificate (trust anchor).
+
+```yaml
+chain_preferences:
+  - root_issuer_name: "ISRG Root X1"
+    ### Optionally, you may specify CA SKI/AKI:
+    # root_issuer_key_id: "79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e"
+
+    ### Filter by common name (optional)
+    filter:
+      exact:
+        - my-app.example.com
+      suffix:
+        - .example.org
+      regexp:
+        - '\Aapp\d+.example.org\z'
+```
+
 ## Vendor dependent notes
 
 - [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips

data/acmesmith.gemspec

@@ -21,7 +21,7 @@ Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://gi
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "acme-client", '~> 2'
+  spec.add_dependency "acme-client", '>= 2.0.7', '< 3'
   spec.add_dependency "aws-sdk-acm"
   spec.add_dependency "aws-sdk-route53"
   spec.add_dependency "aws-sdk-s3"

data/docs/challenge_responders/route53.md

@@ -21,6 +21,19 @@ challenge_responders:
       ##  Required when you have multiple hosted zones for the same domain name.
       hosted_zone_map: 
         "example.org.": "/hostedzone/DEADBEEF"
+
+      # Restore to original records on cleanup (after domain authorization). Default to false.
+      # Useful when you need to keep existing record as long as possible.
+      restore_to_original_records: false
+
+      ### Substitution record names map (optional)
+      ## This specifies alias for specific _acme-challenge record. For instance the following example
+      ## updates _acme-challenge.test-example-com.example.org instead of _acme-challenge.test.example.com.
+      ##
+      ## This eases using the route53 responder for domains not managed in route53, by registering CNAME record to
+      ## the alias record name on the original record name in advance. This is called delegation.
+      substitution_map:
+        "test.example.com.": "test-example-com.example.org."
 ```
 
 ## IAM Policy

data/docs/vendor/aws.md

@@ -20,12 +20,18 @@
       "Effect": "Allow",
       "Action": "route53:ChangeResourceRecordSets",
       "Resource": ["arn:aws:route53:::hostedzone/*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "route53:ListResourceRecordSets",
+      "Resource": ["arn:aws:route53:::hostedzone/*"]
     }
   ]
 }
 ```
 
-Note: You can limit allowed hosted zone by modifying `Resource` of `route53:ChangeResourceRecordSets`
+- You can limit allowed hosted zone by `Resource` of `route53:ChangeResourceRecordSets` grant
+- `route53:ListResourceRecordSets` will be only required when `restore_to_original_records` is set
 
 ##### Only fetching certificates
 

data/lib/acmesmith/authorization_service.rb

@@ -69,9 +69,30 @@ module Acmesmith
       puts "=> Requesting validations..."
       puts
       processes.each do |process|
-        print " * #{process.domain} (#{process.challenge.challenge_type}) ..."
-        process.challenge.request_validation()
-        puts " [ ok ]"
+        challenge = process.challenge
+        print " * #{process.domain} (#{challenge.challenge_type}) ..."
+        retried = false
+        begin
+          challenge.request_validation()
+          puts " [ ok ]"
+        rescue Acme::Client::Error::Malformed
+          # Rescue in case of requesting validation for a challenge which has already determined valid (asynchronously while we're receiving it).
+          # LE Boulder doesn't take this as an error, but pebble do.
+          # https://github.com/letsencrypt/boulder/blob/ebba443cad233111ee2b769ef09b32a13c3ba57e/wfe2/wfe.go#L1235
+          # https://github.com/letsencrypt/pebble/blob/b60b0b677c280ccbf63de55a26775591935c448b/wfe/wfe.go#L2166
+          challenge.reload
+          if process.valid?
+            puts " [ ok ] (turned valid in background)"
+            next
+          end
+
+          if retried
+            raise
+          else
+            retried = true
+            retry
+          end
+        end
       end
       puts
 

data/lib/acmesmith/certificate_retrieving_service.rb

@@ -0,0 +1,126 @@
+require 'acmesmith/certificate'
+
+module Acmesmith
+  class CertificateRetrievingService
+    # @param acme [Acme::Client]
+    # @param common_name [String]
+    # @param url [String] ACME Certificate URL
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>]
+    def initialize(acme, common_name, url, chain_preferences: [])
+      @acme = acme
+      @url = url
+      @chain_preferences = chain_preferences.select { |_| _.filter.match?(common_name) }
+    end
+
+    attr_reader :acme
+    attr_reader :url
+    attr_reader :chain_preferences
+
+    def pem_chain
+      response = download(url, format: :pem)
+      pem = response.body
+
+      return pem if chain_preferences.empty?
+
+      puts " * Retrieving all chains..."
+      alternative_urls = Array(response.headers.dig('link', 'alternate'))
+      alternative_chains = alternative_urls.map { |_| CertificateChain.new(download(_, format: :pem).body) }
+
+      chains = [CertificateChain.new(pem), *alternative_chains]
+
+      chains.each_with_index do |chain, i|
+        puts "   #{i.succ}. #{chain.to_s}"
+      end
+      puts
+
+      chain_preferences.each do |rule|
+        chains.each_with_index do |chain, i|
+          if chain.match?(name: rule.root_issuer_name, key_id: rule.root_issuer_key_id)
+            puts " * Chain chosen: ##{i.succ}"
+            return chain.pem_chain
+          end
+        end
+      end
+
+      warn " ! Preferred chain is not available, chain chosen: #1"
+      chains.first.pem_chain
+    end
+
+    class CertificateChain
+      def initialize(pem_chain)
+        @pem_chain = pem_chain
+        @pems = Certificate.split_pems(pem_chain)
+        @certificates = @pems.map { |_| OpenSSL::X509::Certificate.new(_) }
+      end
+
+      attr_reader :pem_chain
+      attr_reader :certificates
+
+      def to_s
+        certificates[1..-1].map do |c|
+          "s:#{c.subject},i:#{c.issuer}"
+        end.join(" | ")
+      end
+
+      def match?(name: nil, key_id: nil)
+        has_root = top.issuer == top.subject
+
+        if name
+          return false unless name == (has_root ? top.subject : top.issuer).to_a.assoc('CN')[1]
+        end
+
+        if key_id
+          top_key_id = if has_root
+            value_der(top.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })&.slice(2..-1)
+          else
+            value_der(top.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })&.slice(4,20)
+          end&.unpack1('H*')&.downcase
+          return false unless key_id.downcase.gsub(/:/,'') == top_key_id
+        end
+
+        true
+      end
+
+      def top
+        @top ||= find_top()
+      end
+
+      private def find_top
+        c = certificates.first
+        while c
+          up = find_issuer(c)
+          return c unless up
+          c = up
+        end
+      end
+
+      private def find_issuer(cert)
+        return nil if cert.issuer == cert.subject
+
+        # https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
+        # sequence(\x30\x16) context-specific(\x80\x14) + keyid
+        aki = value_der(cert.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })
+
+        # compare using SKI as a AKI DER. this doesn't support AKI using other than keyid but it should be okay
+        certificates.find do |c|
+          ski_der = value_der(c.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })
+          next unless ski_der
+          hdr = "\x30\x16\x80\x14".b
+          keyid = ski_der[2..-1]
+
+          "#{hdr}#{keyid}" == aki && cert.issuer == c.subject
+        end
+      end
+
+      private def value_der(ext)
+        return nil unless ext
+        ext.respond_to?(:value_der) ? ext.value_der : ext.to_der[9..-1]
+      end
+    end
+
+    private def download(url, format:)
+      # XXX: Use of private API https://github.com/unixcharles/acme-client/blob/5990b3105569a9d791ea011e0c5e57506eb54353/lib/acme/client.rb#L311
+      acme.__send__(:download, url, format: format)
+    end
+  end
+end

data/lib/acmesmith/challenge_responder_filter.rb

@@ -1,23 +1,18 @@
+require 'acmesmith/domain_name_filter'
+
 module Acmesmith
   class ChallengeResponderFilter
     def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
       @responder = responder
-      @subject_name_exact = subject_name_exact && [*subject_name_exact].flatten.compact
-      @subject_name_suffix = subject_name_suffix && [*subject_name_suffix].flatten.compact
-      @subject_name_regexp = subject_name_regexp && [*subject_name_regexp].flatten.compact.map{ |_| Regexp.new(_) }
+      @domain_name_filter = DomainNameFilter.new(
+        exact: subject_name_exact,
+        suffix: subject_name_suffix,
+        regexp: subject_name_regexp,
+      )
     end
 
     def applicable?(domain)
-      if @subject_name_exact
-        return false unless @subject_name_exact.include?(domain)
-      end
-      if @subject_name_suffix
-        return false unless @subject_name_suffix.any? { |suffix| domain.end_with?(suffix) }
-      end
-      if @subject_name_regexp
-        return false unless @subject_name_regexp.any? { |regexp| domain.match?(regexp) } 
-      end
-      @responder.applicable?(domain)
+      @domain_name_filter.match?(domain) && @responder.applicable?(domain)
     end
   end
 end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -17,7 +17,7 @@ module Acmesmith
         true
       end
 
-      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {})
+      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false, substitution_map: {})
         aws_options = {region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
         end
@@ -34,13 +34,29 @@ module Acmesmith
 
         @hosted_zone_map = hosted_zone_map
         @hosted_zone_cache = {}
+
+        @restore_to_original_records = restore_to_original_records
+        @original_records = {}
+
+        @substitution_map = substitution_map.map { |k,v| [canonical_fqdn(k), v] }.to_h
       end
 
       def respond_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
+        save_original_records(*domain_and_challenges) if @restore_to_original_records
+
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
-          [zone_id, change_batch_for_challenges(dcs, action: 'UPSERT')]
+          [
+            zone_id,
+            change_batch_for_challenges(
+              dcs,
+              action: 'UPSERT',
+              pre_changes: changes_to_delete_original_cname(zone_id, *dcs),
+            ),
+          ]
         end
 
         change_ids = request_changing_rrset(zone_and_batches, comment: 'for challenge response')
@@ -48,10 +64,20 @@ module Acmesmith
       end
 
       def cleanup_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
-          [zone_id, change_batch_for_challenges(dcs, action: 'DELETE', comment: '(cleanup)')]
+          [
+            zone_id,
+            change_batch_for_challenges(
+              dcs,
+              action: 'DELETE',
+              comment: '(cleanup)',
+              post_changes: changes_to_restore_original_records(zone_id, *dcs),
+            ),
+          ]
         end
 
         request_changing_rrset(zone_and_batches, comment: 'to remove challenge responses')
@@ -59,6 +85,69 @@ module Acmesmith
 
       private
 
+      def save_original_records(*domain_and_challenges)
+        domain_and_challenges.each do |domain, challenge|
+
+          hosted_zone_id = find_hosted_zone(domain)
+          name = "#{challenge.record_name}.#{domain}."
+
+          rrsets = list_existing_rrsets(hosted_zone_id, name)
+          next if rrsets.empty?
+
+          @original_records[hosted_zone_id] ||= {}
+          @original_records[hosted_zone_id][name] = rrsets
+          puts "   * original_record: #{domain}(#{hosted_zone_id}): #{rrsets.inspect}"
+
+        end
+      end
+
+      def changes_to_delete_original_cname(zone_id, *domain_and_challenges)
+        @original_records[zone_id] ||= {}
+        domain_and_challenges.map do |domain, challenge|
+          name = "#{challenge.record_name}.#{domain}."
+          original_records = @original_records[zone_id][name]
+          next unless original_records
+          original_cname = original_records.find{ |_| _.type == 'CNAME' }
+          next unless original_cname
+
+          # FIXME: support set_identifier?
+          {
+            action: 'DELETE',
+            resource_record_set: {
+              name: original_cname.name,
+              ttl: original_cname.ttl,
+              type: original_cname.type,
+              resource_records: original_cname.resource_records.map(&:to_h),
+              alias_target: original_cname.alias_target&.to_h,
+            },
+          }
+        end.compact
+      end
+
+      def changes_to_restore_original_records(zone_id, *domain_and_challenges)
+        @original_records[zone_id] ||= {}
+        domain_and_challenges.flat_map do |domain, challenge|
+          name = "#{challenge.record_name}.#{domain}."
+          original_records = @original_records[zone_id][name]
+          next unless original_records
+
+          # FIXME: support set_identifier?
+          original_records.map do |original_record|
+            next if original_record.type != challenge.record_type && original_record.type != 'CNAME'
+            {
+              action: 'CREATE',
+              resource_record_set: {
+                name: original_record.name,
+                ttl: original_record.ttl,
+                type: original_record.type,
+                resource_records: original_record.resource_records.map(&:to_h),
+                alias_target: original_record.alias_target&.to_h,
+              },
+            }
+          end
+        end.compact
+      end
+
       def request_changing_rrset(zone_and_batches, comment: nil)
         puts "=> Requesting RRSet change #{comment}"
         puts
@@ -107,10 +196,9 @@ module Acmesmith
           end
         end
         puts
-
       end
 
-      def change_batch_for_challenges(domain_and_challenges, comment: nil, action: 'UPSERT')
+      def change_batch_for_challenges(domain_and_challenges, comment: nil, action: 'UPSERT', pre_changes: [], post_changes: [])
         changes = domain_and_challenges
           .map do |d, c|
             rrset_for_challenge(d, c)
@@ -133,7 +221,7 @@ module Acmesmith
 
         {
           comment: "ACME challenge response #{comment}",
-          changes: changes,
+          changes: pre_changes + changes + post_changes,
         }
       end
 
@@ -181,6 +269,44 @@ module Acmesmith
           end.group_by(&:first).map { |domain, kvs| [domain, kvs.map(&:last)] }.to_h.merge(hosted_zone_map)
         end
       end
+
+      def apply_substitution_for_domain_and_challenges(domain_and_challenges)
+        domain_and_challenges.map { |(domain, challenge)| [@substitution_map.fetch(canonical_fqdn(domain), domain), challenge] }
+      end
+
+      def list_existing_rrsets(hosted_zone_id, name)
+        rrsets = []
+        start_record_name = name
+        start_record_type = nil
+        start_record_identifier = nil
+
+        while start_record_name == name
+          begin
+            tries = 0
+            page = @route53.list_resource_record_sets(
+              hosted_zone_id: hosted_zone_id,
+              start_record_name: start_record_name,
+              start_record_type: start_record_type,
+              start_record_identifier: start_record_identifier,
+              max_items: 10,
+            )
+            page.resource_record_sets.each do |rrset|
+              rrsets << rrset if rrset.name == name
+            end
+
+            start_record_name = page.next_record_name
+            start_record_type = page.next_record_type
+            start_record_identifier = page.next_record_identifier
+          rescue Aws::Route53::Errors::Throttling => e
+            interval = (2**tries) * 0.1
+            $stderr.puts "   ! #{e.class}: Sleeping #{interval} seconds (#{e.message})"
+            sleep interval
+            tries += 1
+            retry
+          end
+        end
+        rrsets
+      end
     end
   end
 end

data/lib/acmesmith/client.rb

@@ -26,6 +26,7 @@ module Acmesmith
         acme: acme,
         identifiers: identifiers,
         challenge_responder_rules: config.challenge_responders,
+        chain_preferences: config.chain_preferences,
         not_before: not_before,
         not_after: not_after
       )

data/lib/acmesmith/config.rb

@@ -2,11 +2,13 @@ require 'yaml'
 require 'acmesmith/storages'
 require 'acmesmith/challenge_responders'
 require 'acmesmith/challenge_responder_filter'
+require 'acmesmith/domain_name_filter'
 require 'acmesmith/post_issuing_hooks'
 
 module Acmesmith
   class Config
     ChallengeResponderRule = Struct.new(:challenge_responder, :filter, keyword_init: true)
+    ChainPreference = Struct.new(:root_issuer_name, :root_issuer_key_id, :filter, keyword_init: true)
 
     def self.load_yaml(path)
       new YAML.load_file(path)
@@ -29,6 +31,10 @@ module Acmesmith
       unless @config['directory']
         raise ArgumentError, "config['directory'] must be provided, e.g. https://acme-v02.api.letsencrypt.org/directory or https://acme-staging-v02.api.letsencrypt.org/directory"
       end
+
+      if @config.key?('chain_preferences') && !@config.fetch('chain_preferences').kind_of?(Array)
+        raise ArgumentError, "config['chain_preferences'] must be an Array"
+      end
     end
 
     def [](key)
@@ -104,6 +110,20 @@ module Acmesmith
       end
     end
 
+    def chain_preferences
+      @preferred_chains ||= begin
+        specs = @config['chain_preferences'] || []
+        specs.flat_map do |spec|
+          filter = spec.fetch('filter', {}).map { |k,v| [k.to_sym, v] }.to_h
+          ChainPreference.new(
+            root_issuer_name: spec['root_issuer_name'],
+            root_issuer_key_id: spec['root_issuer_key_id'],
+            filter: DomainNameFilter.new(**filter),
+          )
+        end
+      end
+    end
+
     # def post_actions
     # end
   end

data/lib/acmesmith/domain_name_filter.rb

@@ -0,0 +1,22 @@
+module Acmesmith
+  class DomainNameFilter
+    def initialize(exact: nil, suffix: nil, regexp: nil)
+      @exact = exact && [*exact].flatten.compact
+      @suffix = suffix && [*suffix].flatten.compact
+      @regexp = regexp && [*regexp].flatten.compact.map{ |_| Regexp.new(_) }
+    end
+
+    def match?(domain)
+      if @exact
+        return false unless @exact.include?(domain)
+      end
+      if @suffix
+        return false unless @suffix.any? { |suffix| domain.end_with?(suffix) }
+      end
+      if @regexp
+        return false unless @regexp.any? { |regexp| domain.match?(regexp) } 
+      end
+      true
+    end
+  end
+end

data/lib/acmesmith/ordering_service.rb

@@ -1,5 +1,6 @@
 require 'acmesmith/authorization_service'
 require 'acmesmith/certificate'
+require 'acmesmith/certificate_retrieving_service'
 
 module Acmesmith
   class OrderingService
@@ -8,17 +9,19 @@ module Acmesmith
     # @param acme [Acme::Client] ACME client
     # @param identifiers [Array<String>] Array of domain names for a ordering certificate. The first item will be a common name.
     # @param challenge_responder_rules [Array<Acmesmith::Config::ChallengeResponderRule>] responders
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, identifiers:, challenge_responder_rules:, not_before: nil, not_after: nil)
+    def initialize(acme:, identifiers:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
       @acme = acme
       @identifiers = identifiers
       @challenge_responder_rules = challenge_responder_rules
+      @chain_preferences = chain_preferences
       @not_before = not_before
       @not_after = not_after
     end
 
-    attr_reader :acme, :identifiers, :challenge_responder_rules, :not_before, :not_after
+    attr_reader :acme, :identifiers, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -38,7 +41,7 @@ module Acmesmith
       finalize_order()
       wait_order_for_complete()
 
-      @certificate = Certificate.by_issuance(order.certificate, csr)
+      @certificate = Certificate.by_issuance(pem_chain, csr)
 
       puts
       puts "=> Certificate issued"
@@ -77,6 +80,12 @@ module Acmesmith
       end
     end
 
+    # @return String
+    def pem_chain
+      url = order.certificate_url or raise NotCompleted, "not completed yet"
+      CertificateRetrievingService.new(acme, common_name, url, chain_preferences: chain_preferences).pem_chain
+    end
+
     def certificate
       @certificate or raise NotCompleted, "not completed yet"
     end

data/lib/acmesmith/storages/s3.rb

@@ -7,7 +7,7 @@ require 'acmesmith/certificate'
 module Acmesmith
   module Storages
     class S3 < Base
-      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil)
+      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil, endpoint: nil)
         @region = region
         @bucket = bucket
         @prefix = prefix
@@ -25,6 +25,7 @@ module Acmesmith
 
         @s3 = Aws::S3::Client.new({region: region}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+          opt[:endpoint] = endpoint if endpoint
         end)
       end
 

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.3.1"
+  VERSION = "2.5.0"
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.5.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-12 00:00:00.000000000 Z
+date: 2022-10-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-acm
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +142,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".dockerignore"
+- ".github/FUNDING.yml"
+- ".github/stale.yml"
 - ".github/workflows/build.yml"
 - ".gitignore"
 - ".rspec"
@@ -161,6 +169,7 @@ files:
 - lib/acmesmith/account_key.rb
 - lib/acmesmith/authorization_service.rb
 - lib/acmesmith/certificate.rb
+- lib/acmesmith/certificate_retrieving_service.rb
 - lib/acmesmith/challenge_responder_filter.rb
 - lib/acmesmith/challenge_responders.rb
 - lib/acmesmith/challenge_responders/base.rb
@@ -170,6 +179,7 @@ files:
 - lib/acmesmith/client.rb
 - lib/acmesmith/command.rb
 - lib/acmesmith/config.rb
+- lib/acmesmith/domain_name_filter.rb
 - lib/acmesmith/ordering_service.rb
 - lib/acmesmith/post_issueing_hooks.rb
 - lib/acmesmith/post_issueing_hooks/base.rb
@@ -190,7 +200,7 @@ homepage: https://github.com/sorah/acmesmith
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -205,8 +215,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.4.0.dev
+signing_key:
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server
   environment with cloud services (e.g. AWS)