acmesmith 2.4.0 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4089bdb36940e87e2f996a6c820a2f06505024f6ae9721c3da332999c2145998
-  data.tar.gz: 1abf984f4f5d82a0d266bb5aee3905708ba1392238439663af0bc8ac9aa700b0
+  metadata.gz: 18161ba6306c7d98accbbdfdec37599c67c8ba6e3d84a75e2ce52dc7cf2561b6
+  data.tar.gz: 4fdb29425b0e3a9c998bd86ad755c46dd01244936d718531309ebac17d57e4bb
 SHA512:
-  metadata.gz: d1147c0742b2bd14205b89ca76f4b011453d2eeadf0df2aaad094b7e3c32907de322aed48c0d4fce40a4120ddd782c5c67e6da1504644fce3db679b4452ef774
-  data.tar.gz: e8bc441a9cb9fff624f338fb33946bab80bf742848e695130b17bd807ba8da98d79e5999459ce824cf6ebcdac6206f156026a17adc754aa6bde8356cc3a915f1
+  metadata.gz: 292b84e68ccaa7e7e3f946cdd7e3caaf281155085cd1813e2e4903f8a9737c67b35e8dd8b46ba95fa023865b6e329cd3be923da54a48f6220148d0cfa086e719
+  data.tar.gz: 8c25c548b5c4dcc11afe50279773f9991f22f750b2ea23fbe7be5f38f8e7ece8d04dec7c2705d11c7ecaebdad7669c77fe1af9178f4bfda2d55f8ca4197167c6

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+ko_fi: sorah
+github: [sorah]

data/.github/workflows/build.yml

@@ -18,9 +18,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['2.7', '3.0', '3.1']
     container:
-      image: sorah/ruby:${{ matrix.ruby-version }}-dev
+      image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
     steps:
 
       - name: Cache bundled gems
@@ -40,7 +40,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['2.7', '3.0', '3.1']
 
         # FIXME: once GitHub Actions gains support of adding command line arguments to container
       #    services:
@@ -72,7 +72,7 @@ jobs:
 
       - run: 'docker run -d --net=host --rm letsencrypt/pebble pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053'
       - run: 'docker run -d --net=host --rm letsencrypt/pebble-challtestsrv pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
-      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
+      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle public.ecr.aws/sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
 
   docker-build:
     name: docker-build

data/CHANGELOG.md

@@ -1,4 +1,12 @@
-## v2.4.0 (2020-05-12)
+## v2.5.0 (2020-10-09)
+
+### Enhancement
+
+- Gains `chain_preferences` configuration to choose alternate chain. [#47](https://github.com/sorah/acmesmith/pull/47)
+- route53: Gains `substitution_map` to allow delegation of `_acme-challenge` via predefined CNAME record. [#53](https://github.com/sorah/acmesmith/pull/53)
+- s3: Gains `endpoint` option. [#52](https://github.com/sorah/acmesmith/pull/52)
+
+## v2.4.0 (2020-12-03)
 
 ### Enhancement
 

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.4.0)
-      acme-client (~> 2)
+    acmesmith (2.5.0)
+      acme-client (>= 2.0.7, < 3)
       aws-sdk-acm
       aws-sdk-route53
       aws-sdk-s3
@@ -11,55 +11,59 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.7)
-      faraday (>= 0.17, < 2.0.0)
-    aws-eventstream (1.1.0)
-    aws-partitions (1.402.0)
-    aws-sdk-acm (1.38.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    acme-client (2.0.11)
+      faraday (>= 1.0, < 3.0.0)
+      faraday-retry (~> 1.0)
+    aws-eventstream (1.2.0)
+    aws-partitions (1.644.0)
+    aws-sdk-acm (1.52.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.109.3)
+    aws-sdk-core (3.159.0)
       aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
+      aws-partitions (~> 1, >= 1.525.0)
       aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-kms (1.39.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-kms (1.58.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.44.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-route53 (1.65.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.86.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-s3 (1.114.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.2)
+      aws-sigv4 (~> 1.4)
+    aws-sigv4 (1.5.2)
       aws-eventstream (~> 1, >= 1.0.2)
-    diff-lcs (1.3)
-    faraday (1.1.0)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords
-    jmespath (1.4.0)
-    mini_portile2 (2.4.0)
-    multipart-post (2.1.1)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    rake (13.0.1)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    diff-lcs (1.4.4)
+    faraday (2.6.0)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.1)
+    faraday-retry (1.0.3)
+    jmespath (1.6.1)
+    mini_portile2 (2.8.0)
+    nokogiri (1.13.3)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    racc (1.6.0)
+    rake (13.0.6)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
-    ruby2_keywords (0.0.2)
-    thor (1.0.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    ruby2_keywords (0.0.5)
+    thor (1.2.1)
 
 PLATFORMS
   ruby

data/README.md

@@ -1,6 +1,7 @@
 # Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
-![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)
+![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)  <a href='https://ko-fi.com/J3J8CKMUU' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi3.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+
 
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
 
@@ -151,6 +152,30 @@ are configurable per certificate's common-name.
 - Shell script: [shell](./docs/post_issuing_hooks/shell.md)
 - Amazon Certificate Manager (ACM): [acm](./docs/post_issuing_hooks/acm.md)
 
+### Chain preference
+
+If you want to prefer an alternative chain given by CA ([RFC8555 Section 7.4.2.](https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2)), use the following configuration. Preference may be delcared with common name.
+
+When chain preferences are configured for the common name of an ordered certificate, Acmesmith will retrieve all available alternative chains and evaluate rules in an configured order. The first chain matched to a rule will be used and saved to a storage.
+
+During rule evaluation, a root issuer name and key id are taken from the last available intermediate (Issuer and AKI) provided in a chain, when a chain doesn't have a root certificate (trust anchor).
+
+```yaml
+chain_preferences:
+  - root_issuer_name: "ISRG Root X1"
+    ### Optionally, you may specify CA SKI/AKI:
+    # root_issuer_key_id: "79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e"
+
+    ### Filter by common name (optional)
+    filter:
+      exact:
+        - my-app.example.com
+      suffix:
+        - .example.org
+      regexp:
+        - '\Aapp\d+.example.org\z'
+```
+
 ## Vendor dependent notes
 
 - [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips

data/acmesmith.gemspec

@@ -21,7 +21,7 @@ Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://gi
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "acme-client", '~> 2'
+  spec.add_dependency "acme-client", '>= 2.0.7', '< 3'
   spec.add_dependency "aws-sdk-acm"
   spec.add_dependency "aws-sdk-route53"
   spec.add_dependency "aws-sdk-s3"

data/docs/challenge_responders/route53.md

@@ -24,7 +24,16 @@ challenge_responders:
 
       # Restore to original records on cleanup (after domain authorization). Default to false.
       # Useful when you need to keep existing record as long as possible.
-      restore_to_original_records: true
+      restore_to_original_records: false
+
+      ### Substitution record names map (optional)
+      ## This specifies alias for specific _acme-challenge record. For instance the following example
+      ## updates _acme-challenge.test-example-com.example.org instead of _acme-challenge.test.example.com.
+      ##
+      ## This eases using the route53 responder for domains not managed in route53, by registering CNAME record to
+      ## the alias record name on the original record name in advance. This is called delegation.
+      substitution_map:
+        "test.example.com.": "test-example-com.example.org."
 ```
 
 ## IAM Policy

data/docs/vendor/aws.md

@@ -20,12 +20,18 @@
       "Effect": "Allow",
       "Action": "route53:ChangeResourceRecordSets",
       "Resource": ["arn:aws:route53:::hostedzone/*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "route53:ListResourceRecordSets",
+      "Resource": ["arn:aws:route53:::hostedzone/*"]
     }
   ]
 }
 ```
 
-Note: You can limit allowed hosted zone by modifying `Resource` of `route53:ChangeResourceRecordSets`
+- You can limit allowed hosted zone by `Resource` of `route53:ChangeResourceRecordSets` grant
+- `route53:ListResourceRecordSets` will be only required when `restore_to_original_records` is set
 
 ##### Only fetching certificates
 

data/lib/acmesmith/certificate_retrieving_service.rb

@@ -0,0 +1,126 @@
+require 'acmesmith/certificate'
+
+module Acmesmith
+  class CertificateRetrievingService
+    # @param acme [Acme::Client]
+    # @param common_name [String]
+    # @param url [String] ACME Certificate URL
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>]
+    def initialize(acme, common_name, url, chain_preferences: [])
+      @acme = acme
+      @url = url
+      @chain_preferences = chain_preferences.select { |_| _.filter.match?(common_name) }
+    end
+
+    attr_reader :acme
+    attr_reader :url
+    attr_reader :chain_preferences
+
+    def pem_chain
+      response = download(url, format: :pem)
+      pem = response.body
+
+      return pem if chain_preferences.empty?
+
+      puts " * Retrieving all chains..."
+      alternative_urls = Array(response.headers.dig('link', 'alternate'))
+      alternative_chains = alternative_urls.map { |_| CertificateChain.new(download(_, format: :pem).body) }
+
+      chains = [CertificateChain.new(pem), *alternative_chains]
+
+      chains.each_with_index do |chain, i|
+        puts "   #{i.succ}. #{chain.to_s}"
+      end
+      puts
+
+      chain_preferences.each do |rule|
+        chains.each_with_index do |chain, i|
+          if chain.match?(name: rule.root_issuer_name, key_id: rule.root_issuer_key_id)
+            puts " * Chain chosen: ##{i.succ}"
+            return chain.pem_chain
+          end
+        end
+      end
+
+      warn " ! Preferred chain is not available, chain chosen: #1"
+      chains.first.pem_chain
+    end
+
+    class CertificateChain
+      def initialize(pem_chain)
+        @pem_chain = pem_chain
+        @pems = Certificate.split_pems(pem_chain)
+        @certificates = @pems.map { |_| OpenSSL::X509::Certificate.new(_) }
+      end
+
+      attr_reader :pem_chain
+      attr_reader :certificates
+
+      def to_s
+        certificates[1..-1].map do |c|
+          "s:#{c.subject},i:#{c.issuer}"
+        end.join(" | ")
+      end
+
+      def match?(name: nil, key_id: nil)
+        has_root = top.issuer == top.subject
+
+        if name
+          return false unless name == (has_root ? top.subject : top.issuer).to_a.assoc('CN')[1]
+        end
+
+        if key_id
+          top_key_id = if has_root
+            value_der(top.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })&.slice(2..-1)
+          else
+            value_der(top.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })&.slice(4,20)
+          end&.unpack1('H*')&.downcase
+          return false unless key_id.downcase.gsub(/:/,'') == top_key_id
+        end
+
+        true
+      end
+
+      def top
+        @top ||= find_top()
+      end
+
+      private def find_top
+        c = certificates.first
+        while c
+          up = find_issuer(c)
+          return c unless up
+          c = up
+        end
+      end
+
+      private def find_issuer(cert)
+        return nil if cert.issuer == cert.subject
+
+        # https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
+        # sequence(\x30\x16) context-specific(\x80\x14) + keyid
+        aki = value_der(cert.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })
+
+        # compare using SKI as a AKI DER. this doesn't support AKI using other than keyid but it should be okay
+        certificates.find do |c|
+          ski_der = value_der(c.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })
+          next unless ski_der
+          hdr = "\x30\x16\x80\x14".b
+          keyid = ski_der[2..-1]
+
+          "#{hdr}#{keyid}" == aki && cert.issuer == c.subject
+        end
+      end
+
+      private def value_der(ext)
+        return nil unless ext
+        ext.respond_to?(:value_der) ? ext.value_der : ext.to_der[9..-1]
+      end
+    end
+
+    private def download(url, format:)
+      # XXX: Use of private API https://github.com/unixcharles/acme-client/blob/5990b3105569a9d791ea011e0c5e57506eb54353/lib/acme/client.rb#L311
+      acme.__send__(:download, url, format: format)
+    end
+  end
+end

data/lib/acmesmith/challenge_responder_filter.rb

@@ -1,23 +1,18 @@
+require 'acmesmith/domain_name_filter'
+
 module Acmesmith
   class ChallengeResponderFilter
     def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
       @responder = responder
-      @subject_name_exact = subject_name_exact && [*subject_name_exact].flatten.compact
-      @subject_name_suffix = subject_name_suffix && [*subject_name_suffix].flatten.compact
-      @subject_name_regexp = subject_name_regexp && [*subject_name_regexp].flatten.compact.map{ |_| Regexp.new(_) }
+      @domain_name_filter = DomainNameFilter.new(
+        exact: subject_name_exact,
+        suffix: subject_name_suffix,
+        regexp: subject_name_regexp,
+      )
     end
 
     def applicable?(domain)
-      if @subject_name_exact
-        return false unless @subject_name_exact.include?(domain)
-      end
-      if @subject_name_suffix
-        return false unless @subject_name_suffix.any? { |suffix| domain.end_with?(suffix) }
-      end
-      if @subject_name_regexp
-        return false unless @subject_name_regexp.any? { |regexp| domain.match?(regexp) } 
-      end
-      @responder.applicable?(domain)
+      @domain_name_filter.match?(domain) && @responder.applicable?(domain)
     end
   end
 end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -17,7 +17,7 @@ module Acmesmith
         true
       end
 
-      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false)
+      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false, substitution_map: {})
         aws_options = {region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
         end
@@ -37,9 +37,13 @@ module Acmesmith
 
         @restore_to_original_records = restore_to_original_records
         @original_records = {}
+
+        @substitution_map = substitution_map.map { |k,v| [canonical_fqdn(k), v] }.to_h
       end
 
       def respond_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
         save_original_records(*domain_and_challenges) if @restore_to_original_records
 
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
@@ -60,6 +64,8 @@ module Acmesmith
       end
 
       def cleanup_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
@@ -264,6 +270,10 @@ module Acmesmith
         end
       end
 
+      def apply_substitution_for_domain_and_challenges(domain_and_challenges)
+        domain_and_challenges.map { |(domain, challenge)| [@substitution_map.fetch(canonical_fqdn(domain), domain), challenge] }
+      end
+
       def list_existing_rrsets(hosted_zone_id, name)
         rrsets = []
         start_record_name = name

data/lib/acmesmith/client.rb

@@ -26,6 +26,7 @@ module Acmesmith
         acme: acme,
         identifiers: identifiers,
         challenge_responder_rules: config.challenge_responders,
+        chain_preferences: config.chain_preferences,
         not_before: not_before,
         not_after: not_after
       )

data/lib/acmesmith/config.rb

@@ -2,11 +2,13 @@ require 'yaml'
 require 'acmesmith/storages'
 require 'acmesmith/challenge_responders'
 require 'acmesmith/challenge_responder_filter'
+require 'acmesmith/domain_name_filter'
 require 'acmesmith/post_issuing_hooks'
 
 module Acmesmith
   class Config
     ChallengeResponderRule = Struct.new(:challenge_responder, :filter, keyword_init: true)
+    ChainPreference = Struct.new(:root_issuer_name, :root_issuer_key_id, :filter, keyword_init: true)
 
     def self.load_yaml(path)
       new YAML.load_file(path)
@@ -29,6 +31,10 @@ module Acmesmith
       unless @config['directory']
         raise ArgumentError, "config['directory'] must be provided, e.g. https://acme-v02.api.letsencrypt.org/directory or https://acme-staging-v02.api.letsencrypt.org/directory"
       end
+
+      if @config.key?('chain_preferences') && !@config.fetch('chain_preferences').kind_of?(Array)
+        raise ArgumentError, "config['chain_preferences'] must be an Array"
+      end
     end
 
     def [](key)
@@ -104,6 +110,20 @@ module Acmesmith
       end
     end
 
+    def chain_preferences
+      @preferred_chains ||= begin
+        specs = @config['chain_preferences'] || []
+        specs.flat_map do |spec|
+          filter = spec.fetch('filter', {}).map { |k,v| [k.to_sym, v] }.to_h
+          ChainPreference.new(
+            root_issuer_name: spec['root_issuer_name'],
+            root_issuer_key_id: spec['root_issuer_key_id'],
+            filter: DomainNameFilter.new(**filter),
+          )
+        end
+      end
+    end
+
     # def post_actions
     # end
   end

data/lib/acmesmith/domain_name_filter.rb

@@ -0,0 +1,22 @@
+module Acmesmith
+  class DomainNameFilter
+    def initialize(exact: nil, suffix: nil, regexp: nil)
+      @exact = exact && [*exact].flatten.compact
+      @suffix = suffix && [*suffix].flatten.compact
+      @regexp = regexp && [*regexp].flatten.compact.map{ |_| Regexp.new(_) }
+    end
+
+    def match?(domain)
+      if @exact
+        return false unless @exact.include?(domain)
+      end
+      if @suffix
+        return false unless @suffix.any? { |suffix| domain.end_with?(suffix) }
+      end
+      if @regexp
+        return false unless @regexp.any? { |regexp| domain.match?(regexp) } 
+      end
+      true
+    end
+  end
+end

data/lib/acmesmith/ordering_service.rb

@@ -1,5 +1,6 @@
 require 'acmesmith/authorization_service'
 require 'acmesmith/certificate'
+require 'acmesmith/certificate_retrieving_service'
 
 module Acmesmith
   class OrderingService
@@ -8,17 +9,19 @@ module Acmesmith
     # @param acme [Acme::Client] ACME client
     # @param identifiers [Array<String>] Array of domain names for a ordering certificate. The first item will be a common name.
     # @param challenge_responder_rules [Array<Acmesmith::Config::ChallengeResponderRule>] responders
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, identifiers:, challenge_responder_rules:, not_before: nil, not_after: nil)
+    def initialize(acme:, identifiers:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
       @acme = acme
       @identifiers = identifiers
       @challenge_responder_rules = challenge_responder_rules
+      @chain_preferences = chain_preferences
       @not_before = not_before
       @not_after = not_after
     end
 
-    attr_reader :acme, :identifiers, :challenge_responder_rules, :not_before, :not_after
+    attr_reader :acme, :identifiers, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -38,7 +41,7 @@ module Acmesmith
       finalize_order()
       wait_order_for_complete()
 
-      @certificate = Certificate.by_issuance(order.certificate, csr)
+      @certificate = Certificate.by_issuance(pem_chain, csr)
 
       puts
       puts "=> Certificate issued"
@@ -77,6 +80,12 @@ module Acmesmith
       end
     end
 
+    # @return String
+    def pem_chain
+      url = order.certificate_url or raise NotCompleted, "not completed yet"
+      CertificateRetrievingService.new(acme, common_name, url, chain_preferences: chain_preferences).pem_chain
+    end
+
     def certificate
       @certificate or raise NotCompleted, "not completed yet"
     end

data/lib/acmesmith/storages/s3.rb

@@ -7,7 +7,7 @@ require 'acmesmith/certificate'
 module Acmesmith
   module Storages
     class S3 < Base
-      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil)
+      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil, endpoint: nil)
         @region = region
         @bucket = bucket
         @prefix = prefix
@@ -25,6 +25,7 @@ module Acmesmith
 
         @s3 = Aws::S3::Client.new({region: region}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+          opt[:endpoint] = endpoint if endpoint
         end)
       end
 

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.4.0"
+  VERSION = "2.5.0"
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.5.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-02 00:00:00.000000000 Z
+date: 2022-10-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-acm
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +142,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".dockerignore"
+- ".github/FUNDING.yml"
 - ".github/stale.yml"
 - ".github/workflows/build.yml"
 - ".gitignore"
@@ -162,6 +169,7 @@ files:
 - lib/acmesmith/account_key.rb
 - lib/acmesmith/authorization_service.rb
 - lib/acmesmith/certificate.rb
+- lib/acmesmith/certificate_retrieving_service.rb
 - lib/acmesmith/challenge_responder_filter.rb
 - lib/acmesmith/challenge_responders.rb
 - lib/acmesmith/challenge_responders/base.rb
@@ -171,6 +179,7 @@ files:
 - lib/acmesmith/client.rb
 - lib/acmesmith/command.rb
 - lib/acmesmith/config.rb
+- lib/acmesmith/domain_name_filter.rb
 - lib/acmesmith/ordering_service.rb
 - lib/acmesmith/post_issueing_hooks.rb
 - lib/acmesmith/post_issueing_hooks/base.rb
@@ -206,7 +215,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.4.0.dev
 signing_key:
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server