acmesmith 2.4.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4089bdb36940e87e2f996a6c820a2f06505024f6ae9721c3da332999c2145998
-  data.tar.gz: 1abf984f4f5d82a0d266bb5aee3905708ba1392238439663af0bc8ac9aa700b0
+  metadata.gz: 914be0de4c237bcd0db59a908f8ce70c3f7b364bb2ab0ac25b6e26ff95ecd7bc
+  data.tar.gz: 14b96550d4ef0274d1546e78b5121c6b9356e9c71e479a4ed17b4d9ff8fc669e
 SHA512:
-  metadata.gz: d1147c0742b2bd14205b89ca76f4b011453d2eeadf0df2aaad094b7e3c32907de322aed48c0d4fce40a4120ddd782c5c67e6da1504644fce3db679b4452ef774
-  data.tar.gz: e8bc441a9cb9fff624f338fb33946bab80bf742848e695130b17bd807ba8da98d79e5999459ce824cf6ebcdac6206f156026a17adc754aa6bde8356cc3a915f1
+  metadata.gz: ce305e972fcb06a4bc97b2ceea2177cd759601c55064dd5e22ea15b0981ea838e7c11d8e5401d08c41ec1f249cfa0d7a6489f67b2c3e52cc8d67bd1871d77e69
+  data.tar.gz: dfabb130f347dc7829cbaad1b5de6aca553dfedc7172d53d163736baee2b07b00124ef7f5f31d9270df660f4b9381b05ed6ca6cfa2e9a96163f25d6fa2d83286

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+ko_fi: sorah
+github: [sorah]

data/.github/workflows/build.yml

@@ -18,9 +18,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['3.0', '3.1', '3.2']
     container:
-      image: sorah/ruby:${{ matrix.ruby-version }}-dev
+      image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
     steps:
 
       - name: Cache bundled gems
@@ -40,7 +40,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.6', '2.7']
+        ruby-version: ['3.0', '3.1', '3.2']
 
         # FIXME: once GitHub Actions gains support of adding command line arguments to container
       #    services:
@@ -72,7 +72,7 @@ jobs:
 
       - run: 'docker run -d --net=host --rm letsencrypt/pebble pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053'
       - run: 'docker run -d --net=host --rm letsencrypt/pebble-challtestsrv pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
-      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
+      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle public.ecr.aws/sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
 
   docker-build:
     name: docker-build

data/CHANGELOG.md

@@ -1,4 +1,19 @@
-## v2.4.0 (2020-05-12)
+## v2.6.0 (2023-10-05)
+
+### Enhancement
+
+- order: Gains `--key-type`, `--rsa-key-size`, `--elliptic-curve` options to customize private key generation, and generating EC keys. [#58](https://github.com/sorah/acmesmith/pull/58)
+- autorenew: Respect the existing key configuration when regenerating a fresh key pair for renewal.  [#58](https://github.com/sorah/acmesmith/pull/58)
+
+## v2.5.0 (2020-10-09)
+
+### Enhancement
+
+- Gains `chain_preferences` configuration to choose alternate chain. [#47](https://github.com/sorah/acmesmith/pull/47)
+- route53: Gains `substitution_map` to allow delegation of `_acme-challenge` via predefined CNAME record. [#53](https://github.com/sorah/acmesmith/pull/53)
+- s3: Gains `endpoint` option. [#52](https://github.com/sorah/acmesmith/pull/52)
+
+## v2.4.0 (2020-12-03)
 
 ### Enhancement
 

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM sorah/ruby:2.7-dev as builder
+FROM sorah/ruby:3.2-dev as builder
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient-dev git-core \
@@ -12,7 +12,7 @@ RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/
 
 RUN bundle install --path /gems --jobs 100 --without development
 
-FROM sorah/ruby:2.7
+FROM sorah/ruby:3.2
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient20 \

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.4.0)
-      acme-client (~> 2)
+    acmesmith (2.6.0)
+      acme-client (>= 2.0.7, < 3)
       aws-sdk-acm
       aws-sdk-route53
       aws-sdk-s3
@@ -11,55 +11,62 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.7)
-      faraday (>= 0.17, < 2.0.0)
-    aws-eventstream (1.1.0)
-    aws-partitions (1.402.0)
-    aws-sdk-acm (1.38.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    acme-client (2.0.14)
+      faraday (>= 1.0, < 3.0.0)
+      faraday-retry (>= 1.0, < 3.0.0)
+    aws-eventstream (1.2.0)
+    aws-partitions (1.832.0)
+    aws-sdk-acm (1.62.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.109.3)
+    aws-sdk-core (3.185.0)
       aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
+      jmespath (~> 1, >= 1.6.1)
+    aws-sdk-kms (1.72.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-kms (1.39.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-route53 (1.79.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.44.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.86.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-s3 (1.136.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.2)
+      aws-sigv4 (~> 1.6)
+    aws-sigv4 (1.6.0)
       aws-eventstream (~> 1, >= 1.0.2)
-    diff-lcs (1.3)
-    faraday (1.1.0)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords
-    jmespath (1.4.0)
-    mini_portile2 (2.4.0)
-    multipart-post (2.1.1)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    rake (13.0.1)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    base64 (0.1.1)
+    diff-lcs (1.4.4)
+    faraday (2.7.11)
+      base64
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.2)
+    faraday-retry (2.2.0)
+      faraday (~> 2.0)
+    jmespath (1.6.2)
+    mini_portile2 (2.8.1)
+    nokogiri (1.14.3)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    racc (1.6.2)
+    rake (13.0.6)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
-    ruby2_keywords (0.0.2)
-    thor (1.0.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    ruby2_keywords (0.0.5)
+    thor (1.2.2)
 
 PLATFORMS
   ruby

data/README.md

@@ -1,6 +1,7 @@
 # Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
-![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)
+![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)  <a href='https://ko-fi.com/J3J8CKMUU' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi3.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+
 
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
 
@@ -151,6 +152,30 @@ are configurable per certificate's common-name.
 - Shell script: [shell](./docs/post_issuing_hooks/shell.md)
 - Amazon Certificate Manager (ACM): [acm](./docs/post_issuing_hooks/acm.md)
 
+### Chain preference
+
+If you want to prefer an alternative chain given by CA ([RFC8555 Section 7.4.2.](https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2)), use the following configuration. Preference may be delcared with common name.
+
+When chain preferences are configured for the common name of an ordered certificate, Acmesmith will retrieve all available alternative chains and evaluate rules in an configured order. The first chain matched to a rule will be used and saved to a storage.
+
+During rule evaluation, a root issuer name and key id are taken from the last available intermediate (Issuer and AKI) provided in a chain, when a chain doesn't have a root certificate (trust anchor).
+
+```yaml
+chain_preferences:
+  - root_issuer_name: "ISRG Root X1"
+    ### Optionally, you may specify CA SKI/AKI:
+    # root_issuer_key_id: "79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e"
+
+    ### Filter by common name (optional)
+    filter:
+      exact:
+        - my-app.example.com
+      suffix:
+        - .example.org
+      regexp:
+        - '\Aapp\d+.example.org\z'
+```
+
 ## Vendor dependent notes
 
 - [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips

data/acmesmith.gemspec

@@ -21,7 +21,7 @@ Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://gi
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "acme-client", '~> 2'
+  spec.add_dependency "acme-client", '>= 2.0.7', '< 3'
   spec.add_dependency "aws-sdk-acm"
   spec.add_dependency "aws-sdk-route53"
   spec.add_dependency "aws-sdk-s3"

data/docs/challenge_responders/route53.md

@@ -24,7 +24,16 @@ challenge_responders:
 
       # Restore to original records on cleanup (after domain authorization). Default to false.
       # Useful when you need to keep existing record as long as possible.
-      restore_to_original_records: true
+      restore_to_original_records: false
+
+      ### Substitution record names map (optional)
+      ## This specifies alias for specific _acme-challenge record. For instance the following example
+      ## updates _acme-challenge.test-example-com.example.org instead of _acme-challenge.test.example.com.
+      ##
+      ## This eases using the route53 responder for domains not managed in route53, by registering CNAME record to
+      ## the alias record name on the original record name in advance. This is called delegation.
+      substitution_map:
+        "test.example.com.": "test-example-com.example.org."
 ```
 
 ## IAM Policy

data/docs/vendor/aws.md

@@ -20,12 +20,18 @@
       "Effect": "Allow",
       "Action": "route53:ChangeResourceRecordSets",
       "Resource": ["arn:aws:route53:::hostedzone/*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "route53:ListResourceRecordSets",
+      "Resource": ["arn:aws:route53:::hostedzone/*"]
     }
   ]
 }
 ```
 
-Note: You can limit allowed hosted zone by modifying `Resource` of `route53:ChangeResourceRecordSets`
+- You can limit allowed hosted zone by `Resource` of `route53:ChangeResourceRecordSets` grant
+- `route53:ListResourceRecordSets` will be only required when `restore_to_original_records` is set
 
 ##### Only fetching certificates
 

data/lib/acmesmith/certificate.rb

@@ -25,7 +25,7 @@ module Acmesmith
 
     # @param certificate [OpenSSL::X509::Certificate, String]
     # @param chain [String, Array<String>, Array<OpenSSL::X509::Certificate>]
-    # @param private_key [String, OpenSSL::PKey::RSA]
+    # @param private_key [String, OpenSSL::PKey::PKey]
     # @param key_passphrase [String, nil]
     # @param csr [String, OpenSSL::X509::Request, nil]
     def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
@@ -66,15 +66,15 @@ module Acmesmith
           self.key_passphrase = key_passphrase
         else
           begin
-            @private_key = OpenSSL::PKey::RSA.new(@raw_private_key) { nil }
-          rescue OpenSSL::PKey::RSAError
+            @private_key = OpenSSL::PKey.read(@raw_private_key) { nil }
+          rescue OpenSSL::PKey::PKeyError
             # may be encrypted
           end
         end
-      when OpenSSL::PKey::RSA
+      when OpenSSL::PKey::PKey
         @private_key = private_key
       else
-        raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::RSA'
+        raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::PKey'
       end
 
       @csr = case csr
@@ -100,19 +100,24 @@ module Acmesmith
     def key_passphrase=(pw)
       raise PrivateKeyDecrypted, 'private_key already given' if @private_key
 
-      @private_key = OpenSSL::PKey::RSA.new(@raw_private_key, pw)
+      @private_key = OpenSSL::PKey.read(@raw_private_key, pw)
 
       @raw_private_key = nil
       nil
     end
 
-    # @return [OpenSSL::PKey::RSA]
+    # @return [OpenSSL::PKey::PKey]
     # @raise [PassphraseRequired] if private_key is not yet decrypted
     def private_key
       return @private_key if @private_key
       raise PassphraseRequired, 'key_passphrase required'
     end
 
+    # @return [OpenSSL::PKey::PKey]
+    def public_key
+      @certificate.public_key
+    end
+
     # @return [String] leaf certificate + full certificate chain
     def fullchain
       "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)

data/lib/acmesmith/certificate_retrieving_service.rb

@@ -0,0 +1,126 @@
+require 'acmesmith/certificate'
+
+module Acmesmith
+  class CertificateRetrievingService
+    # @param acme [Acme::Client]
+    # @param common_name [String]
+    # @param url [String] ACME Certificate URL
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>]
+    def initialize(acme, common_name, url, chain_preferences: [])
+      @acme = acme
+      @url = url
+      @chain_preferences = chain_preferences.select { |_| _.filter.match?(common_name) }
+    end
+
+    attr_reader :acme
+    attr_reader :url
+    attr_reader :chain_preferences
+
+    def pem_chain
+      response = download(url, format: :pem)
+      pem = response.body
+
+      return pem if chain_preferences.empty?
+
+      puts " * Retrieving all chains..."
+      alternative_urls = Array(response.headers.dig('link', 'alternate'))
+      alternative_chains = alternative_urls.map { |_| CertificateChain.new(download(_, format: :pem).body) }
+
+      chains = [CertificateChain.new(pem), *alternative_chains]
+
+      chains.each_with_index do |chain, i|
+        puts "   #{i.succ}. #{chain.to_s}"
+      end
+      puts
+
+      chain_preferences.each do |rule|
+        chains.each_with_index do |chain, i|
+          if chain.match?(name: rule.root_issuer_name, key_id: rule.root_issuer_key_id)
+            puts " * Chain chosen: ##{i.succ}"
+            return chain.pem_chain
+          end
+        end
+      end
+
+      warn " ! Preferred chain is not available, chain chosen: #1"
+      chains.first.pem_chain
+    end
+
+    class CertificateChain
+      def initialize(pem_chain)
+        @pem_chain = pem_chain
+        @pems = Certificate.split_pems(pem_chain)
+        @certificates = @pems.map { |_| OpenSSL::X509::Certificate.new(_) }
+      end
+
+      attr_reader :pem_chain
+      attr_reader :certificates
+
+      def to_s
+        certificates[1..-1].map do |c|
+          "s:#{c.subject},i:#{c.issuer}"
+        end.join(" | ")
+      end
+
+      def match?(name: nil, key_id: nil)
+        has_root = top.issuer == top.subject
+
+        if name
+          return false unless name == (has_root ? top.subject : top.issuer).to_a.assoc('CN')[1]
+        end
+
+        if key_id
+          top_key_id = if has_root
+            value_der(top.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })&.slice(2..-1)
+          else
+            value_der(top.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })&.slice(4,20)
+          end&.unpack1('H*')&.downcase
+          return false unless key_id.downcase.gsub(/:/,'') == top_key_id
+        end
+
+        true
+      end
+
+      def top
+        @top ||= find_top()
+      end
+
+      private def find_top
+        c = certificates.first
+        while c
+          up = find_issuer(c)
+          return c unless up
+          c = up
+        end
+      end
+
+      private def find_issuer(cert)
+        return nil if cert.issuer == cert.subject
+
+        # https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
+        # sequence(\x30\x16) context-specific(\x80\x14) + keyid
+        aki = value_der(cert.extensions.find { |e| e.oid == 'authorityKeyIdentifier' })
+
+        # compare using SKI as a AKI DER. this doesn't support AKI using other than keyid but it should be okay
+        certificates.find do |c|
+          ski_der = value_der(c.extensions.find { |e| e.oid == 'subjectKeyIdentifier' })
+          next unless ski_der
+          hdr = "\x30\x16\x80\x14".b
+          keyid = ski_der[2..-1]
+
+          "#{hdr}#{keyid}" == aki && cert.issuer == c.subject
+        end
+      end
+
+      private def value_der(ext)
+        return nil unless ext
+        ext.respond_to?(:value_der) ? ext.value_der : ext.to_der[9..-1]
+      end
+    end
+
+    private def download(url, format:)
+      # XXX: Use of private API https://github.com/unixcharles/acme-client/blob/5990b3105569a9d791ea011e0c5e57506eb54353/lib/acme/client.rb#L311
+      acme.__send__(:download, url, format: format)
+    end
+  end
+end

data/lib/acmesmith/challenge_responder_filter.rb

@@ -1,23 +1,18 @@
+require 'acmesmith/domain_name_filter'
+
 module Acmesmith
   class ChallengeResponderFilter
     def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
       @responder = responder
-      @subject_name_exact = subject_name_exact && [*subject_name_exact].flatten.compact
-      @subject_name_suffix = subject_name_suffix && [*subject_name_suffix].flatten.compact
-      @subject_name_regexp = subject_name_regexp && [*subject_name_regexp].flatten.compact.map{ |_| Regexp.new(_) }
+      @domain_name_filter = DomainNameFilter.new(
+        exact: subject_name_exact,
+        suffix: subject_name_suffix,
+        regexp: subject_name_regexp,
+      )
     end
 
     def applicable?(domain)
-      if @subject_name_exact
-        return false unless @subject_name_exact.include?(domain)
-      end
-      if @subject_name_suffix
-        return false unless @subject_name_suffix.any? { |suffix| domain.end_with?(suffix) }
-      end
-      if @subject_name_regexp
-        return false unless @subject_name_regexp.any? { |regexp| domain.match?(regexp) } 
-      end
-      @responder.applicable?(domain)
+      @domain_name_filter.match?(domain) && @responder.applicable?(domain)
     end
   end
 end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -17,7 +17,7 @@ module Acmesmith
         true
       end
 
-      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false)
+      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false, substitution_map: {})
         aws_options = {region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
         end
@@ -37,9 +37,13 @@ module Acmesmith
 
         @restore_to_original_records = restore_to_original_records
         @original_records = {}
+
+        @substitution_map = substitution_map.map { |k,v| [canonical_fqdn(k), v] }.to_h
       end
 
       def respond_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
         save_original_records(*domain_and_challenges) if @restore_to_original_records
 
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
@@ -60,6 +64,8 @@ module Acmesmith
       end
 
       def cleanup_all(*domain_and_challenges)
+        domain_and_challenges = apply_substitution_for_domain_and_challenges(domain_and_challenges)
+
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
@@ -264,6 +270,10 @@ module Acmesmith
         end
       end
 
+      def apply_substitution_for_domain_and_challenges(domain_and_challenges)
+        domain_and_challenges.map { |(domain, challenge)| [@substitution_map.fetch(canonical_fqdn(domain), domain), challenge] }
+      end
+
       def list_existing_rrsets(hosted_zone_id, name)
         rrsets = []
         start_record_name = name

data/lib/acmesmith/client.rb

@@ -21,26 +21,9 @@ module Acmesmith
       key
     end
 
-    def order(*identifiers, not_before: nil, not_after: nil)
-      order = OrderingService.new(
-        acme: acme,
-        identifiers: identifiers,
-        challenge_responder_rules: config.challenge_responders,
-        not_before: not_before,
-        not_after: not_after
-      )
-      order.perform!
-      cert = order.certificate
-
-      puts
-      print " * securing into the storage ..."
-      storage.put_certificate(cert, certificate_key_passphrase)
-      puts " [ ok ]"
-      puts
-
-      execute_post_issue_hooks(cert)
-
-      cert
+    def order(*identifiers, key_type: 'rsa', rsa_key_size: 2048, elliptic_curve: 'prime256v1', not_before: nil, not_after: nil)
+      private_key = generate_private_key(key_type: key_type, rsa_key_size: rsa_key_size, elliptic_curve: elliptic_curve)
+      order_with_private_key(*identifiers, private_key: private_key, not_before: not_before, not_after: not_after)
     end
 
     def authorize(*identifiers)
@@ -148,7 +131,7 @@ module Acmesmith
         puts "   Not valid after: #{not_after}"
         next unless (cert.certificate.not_after.utc - Time.now.utc) < (days.to_i * 86400)
         puts " * Renewing: CN=#{cert.common_name}, SANs=#{cert.sans.join(',')}"
-        order(cert.common_name, *cert.sans)
+        order_with_private_key(cert.common_name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
       end
     end
 
@@ -157,7 +140,7 @@ module Acmesmith
       cert = storage.get_certificate(common_name)
       sans = cert.sans + add_sans
       puts " * SANs will be: #{sans.join(?,)}"
-      order(cert.common_name, *sans)
+      order_with_private_key(cert.common_name, *sans, private_key: regenerate_private_key(cert.public_key))
     end
 
     private
@@ -196,5 +179,52 @@ module Acmesmith
         config['account_key_passphrase']
       end
     end
+
+    def order_with_private_key(*identifiers, private_key:, not_before: nil, not_after: nil)
+      order = OrderingService.new(
+        acme: acme,
+        identifiers: identifiers,
+        private_key: private_key,
+        challenge_responder_rules: config.challenge_responders,
+        chain_preferences: config.chain_preferences,
+        not_before: not_before,
+        not_after: not_after
+      )
+      order.perform!
+      cert = order.certificate
+
+      puts
+      print " * securing into the storage ..."
+      storage.put_certificate(cert, certificate_key_passphrase)
+      puts " [ ok ]"
+      puts
+
+      execute_post_issue_hooks(cert)
+
+      cert
+    end
+
+    def generate_private_key(key_type:, rsa_key_size:, elliptic_curve:)
+      case key_type
+      when 'rsa'
+        OpenSSL::PKey::RSA.generate(rsa_key_size)
+      when 'ec'
+        OpenSSL::PKey::EC.generate(elliptic_curve)
+      else
+        raise ArgumentError, "Key type #{key_type} is not supported"
+      end
+    end
+
+    # Generate a new key pair with the same type and key size / curve as existing one
+    def regenerate_private_key(template)
+      case template
+      when OpenSSL::PKey::RSA
+        OpenSSL::PKey::RSA.generate(template.n.num_bits)
+      when OpenSSL::PKey::EC
+        OpenSSL::PKey::EC.generate(template.group)
+      else
+        raise ArgumentError, "Unknown key type: #{template.class}"
+      end
+    end
   end
 end

data/lib/acmesmith/command.rb

@@ -32,8 +32,16 @@ module Acmesmith
 
     desc "order COMMON_NAME [SAN]", "order certificate for CN +COMMON_NAME+ with SANs +SAN+"
     method_option :show_certificate, type: :boolean, aliases: %w(-s), default: true, desc: 'show an issued certificate in PEM and text when exiting'
+    method_option :key_type, type: :string, enum: %w(rsa ec), default: 'rsa', desc: 'key type'
+    method_option :rsa_key_size, type: :numeric, default: 2048, desc: 'size of RSA key'
+    method_option :elliptic_curve, type: :string, default: 'prime256v1', desc: 'elliptic curve group for EC key'
     def order(common_name, *sans)
-      cert = client.order(common_name, *sans)
+      cert = client.order(
+        common_name, *sans,
+        key_type: options[:key_type],
+        rsa_key_size: options[:rsa_key_size],
+        elliptic_curve: options[:elliptic_curve],
+      )
       if options[:show_certificate]
         puts cert.certificate.to_text
         puts cert.certificate.to_pem

data/lib/acmesmith/config.rb

@@ -2,11 +2,13 @@ require 'yaml'
 require 'acmesmith/storages'
 require 'acmesmith/challenge_responders'
 require 'acmesmith/challenge_responder_filter'
+require 'acmesmith/domain_name_filter'
 require 'acmesmith/post_issuing_hooks'
 
 module Acmesmith
   class Config
     ChallengeResponderRule = Struct.new(:challenge_responder, :filter, keyword_init: true)
+    ChainPreference = Struct.new(:root_issuer_name, :root_issuer_key_id, :filter, keyword_init: true)
 
     def self.load_yaml(path)
       new YAML.load_file(path)
@@ -29,6 +31,10 @@ module Acmesmith
       unless @config['directory']
         raise ArgumentError, "config['directory'] must be provided, e.g. https://acme-v02.api.letsencrypt.org/directory or https://acme-staging-v02.api.letsencrypt.org/directory"
       end
+
+      if @config.key?('chain_preferences') && !@config.fetch('chain_preferences').kind_of?(Array)
+        raise ArgumentError, "config['chain_preferences'] must be an Array"
+      end
     end
 
     def [](key)
@@ -104,6 +110,20 @@ module Acmesmith
       end
     end
 
+    def chain_preferences
+      @preferred_chains ||= begin
+        specs = @config['chain_preferences'] || []
+        specs.flat_map do |spec|
+          filter = spec.fetch('filter', {}).map { |k,v| [k.to_sym, v] }.to_h
+          ChainPreference.new(
+            root_issuer_name: spec['root_issuer_name'],
+            root_issuer_key_id: spec['root_issuer_key_id'],
+            filter: DomainNameFilter.new(**filter),
+          )
+        end
+      end
+    end
+
     # def post_actions
     # end
   end

data/lib/acmesmith/domain_name_filter.rb

@@ -0,0 +1,22 @@
+module Acmesmith
+  class DomainNameFilter
+    def initialize(exact: nil, suffix: nil, regexp: nil)
+      @exact = exact && [*exact].flatten.compact
+      @suffix = suffix && [*suffix].flatten.compact
+      @regexp = regexp && [*regexp].flatten.compact.map{ |_| Regexp.new(_) }
+    end
+
+    def match?(domain)
+      if @exact
+        return false unless @exact.include?(domain)
+      end
+      if @suffix
+        return false unless @suffix.any? { |suffix| domain.end_with?(suffix) }
+      end
+      if @regexp
+        return false unless @regexp.any? { |regexp| domain.match?(regexp) } 
+      end
+      true
+    end
+  end
+end

data/lib/acmesmith/ordering_service.rb

@@ -1,5 +1,6 @@
 require 'acmesmith/authorization_service'
 require 'acmesmith/certificate'
+require 'acmesmith/certificate_retrieving_service'
 
 module Acmesmith
   class OrderingService
@@ -7,18 +8,22 @@ module Acmesmith
 
     # @param acme [Acme::Client] ACME client
     # @param identifiers [Array<String>] Array of domain names for a ordering certificate. The first item will be a common name.
+    # @param private_key [OpenSSL::PKey::PKey] Private key
     # @param challenge_responder_rules [Array<Acmesmith::Config::ChallengeResponderRule>] responders
+    # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, identifiers:, challenge_responder_rules:, not_before: nil, not_after: nil)
+    def initialize(acme:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
       @acme = acme
       @identifiers = identifiers
+      @private_key = private_key
       @challenge_responder_rules = challenge_responder_rules
+      @chain_preferences = chain_preferences
       @not_before = not_before
       @not_after = not_after
     end
 
-    attr_reader :acme, :identifiers, :challenge_responder_rules, :not_before, :not_after
+    attr_reader :acme, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -38,7 +43,7 @@ module Acmesmith
       finalize_order()
       wait_order_for_complete()
 
-      @certificate = Certificate.by_issuance(order.certificate, csr)
+      @certificate = Certificate.by_issuance(pem_chain, csr)
 
       puts
       puts "=> Certificate issued"
@@ -77,6 +82,12 @@ module Acmesmith
       end
     end
 
+    # @return String
+    def pem_chain
+      url = order.certificate_url or raise NotCompleted, "not completed yet"
+      CertificateRetrievingService.new(acme, common_name, url, chain_preferences: chain_preferences).pem_chain
+    end
+
     def certificate
       @certificate or raise NotCompleted, "not completed yet"
     end
@@ -98,7 +109,7 @@ module Acmesmith
 
     # @return [Acme::Client::CertificateRequest]
     def csr
-      @csr ||= Acme::Client::CertificateRequest.new(subject: { common_name: common_name }, names: sans)
+      @csr ||= Acme::Client::CertificateRequest.new(subject: { common_name: common_name }, names: sans, private_key: private_key)
     end
   end
 end

data/lib/acmesmith/storages/s3.rb

@@ -7,7 +7,7 @@ require 'acmesmith/certificate'
 module Acmesmith
   module Storages
     class S3 < Base
-      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil)
+      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil, pkcs12_passphrase: nil, pkcs12_common_names: nil, endpoint: nil)
         @region = region
         @bucket = bucket
         @prefix = prefix
@@ -25,6 +25,7 @@ module Acmesmith
 
         @s3 = Aws::S3::Client.new({region: region}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+          opt[:endpoint] = endpoint if endpoint
         end)
       end
 

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.4.0"
+  VERSION = "2.6.0"
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-02 00:00:00.000000000 Z
+date: 2023-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.7
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-acm
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +142,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".dockerignore"
+- ".github/FUNDING.yml"
 - ".github/stale.yml"
 - ".github/workflows/build.yml"
 - ".gitignore"
@@ -162,6 +169,7 @@ files:
 - lib/acmesmith/account_key.rb
 - lib/acmesmith/authorization_service.rb
 - lib/acmesmith/certificate.rb
+- lib/acmesmith/certificate_retrieving_service.rb
 - lib/acmesmith/challenge_responder_filter.rb
 - lib/acmesmith/challenge_responders.rb
 - lib/acmesmith/challenge_responders/base.rb
@@ -171,6 +179,7 @@ files:
 - lib/acmesmith/client.rb
 - lib/acmesmith/command.rb
 - lib/acmesmith/config.rb
+- lib/acmesmith/domain_name_filter.rb
 - lib/acmesmith/ordering_service.rb
 - lib/acmesmith/post_issueing_hooks.rb
 - lib/acmesmith/post_issueing_hooks/base.rb
@@ -206,7 +215,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server