acmesmith 2.7.1 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de52b6d87714b27035507ce19c8dccc5c876cebebed05ce06d9865858f2f0fec
-  data.tar.gz: 7aef801a33ea26c22db4a38c1c3af2d9432862dc3ffa383e47b23a12ab296531
+  metadata.gz: 5230018ae89aac8b573c6353b1f447b078538a2ac3211e4d626eeba429a2a5af
+  data.tar.gz: a5ee69e253291d3ce838f248fed18ae5a29a01bd2aea4895b582e34ceeae5c9a
 SHA512:
-  metadata.gz: fbcfef0acbd3e20a3f9245a41fd7f3bd74e33bf7333f307ee32047a330b7b30c213260e59cc4571b98fc650a89b9d424fa66097a776f52ad2f9a0ecbb1eb5a4a
-  data.tar.gz: 94479e7616793c0cf51bfd3083a1ce6195c6ff886d7516fb62e841b5d93eaf14540dd9793030d33b273ef9b6fc3fa3f06abbb8be43af3a08e47b7f871aea2b60
+  metadata.gz: 27e82c020a219babe961f13db21bf72ee6c3084ce16ef023da4efbf494d004a91def0cc0f7c96316f9540249e51a888b803fdc48a82970ef319afebe4de08ada
+  data.tar.gz: ab4c2e3277e4af4cbbed7de6087c11c11ee4c0d741892a4da6ea458297fd726db87e49a0e73d32dff52111d61c4fdc60db04a775db70fcb2e06c05cf997f2454

data/CHANGELOG.md

@@ -1,3 +1,38 @@
+## [unreleased]
+
+## v2.9.0 (2026-03-14)
+
+### Enhancements
+
+- `acmesmith order` and configuration file gain `profiles` configuration to allow switching ACME profiles such as `shortlived` [#81](https://github.com/sorah/acmesmith/pull/81)
+
+  ```yaml
+  profiles:
+    - name: "shortlived"
+      filter:
+        subject_name_suffix: [".shortlived.example.invalid"]
+  ```
+
+### Changes
+
+- Prebuilt Docker images are no longer pushed to Dockerhub. Use GHCR instead: [ghcr.io/sorah/acmesmith](https://ghcr.io/sorah/acmesmith)
+
+## v2.8.0 (2025-11-11)
+
+### Enhancements
+
+- post_issuing_hooks/shell: Gained `$CERT_NAME` environment variable which is to replace `$COMMON_NAME` for certificates without CN field. [#76](https://github.com/sorah/acmesmith/pull/76)
+- certificate: gained `name` method (Certificate#name) in addition to Certificate#common_name, for certificates without CN field. Plugin authors are encouraged to migrate on this new API. [#76](https://github.com/sorah/acmesmith/pull/76)
+
+### Fixes
+
+- A certificate name is now inherited to a new certificate during autorenew and add-san command for stability, otherwise it could be saved under an another name when CA has issued the new certificate with different subject field or SANs field due to its policy/behaviour change; If you're using 3rd party storage plugins, it has to be updated to use Certificate#name instead of Certificate#common_name to support certificates without CN field. [#77](https://github.com/sorah/acmesmith/pull/77)
+
+### Updates
+
+- Update gemspec to the latest bundler's provided template. This removes certain irrevant files from a released gem package. [#75](https://github.com/sorah/acmesmith/issues/75)
+- Use rubygems.org trusted publishing via GitHub Actions [#75](https://github.com/sorah/acmesmith/issues/75)
+
 ## v2.7.1 (2025-08-21)
 
 ### Bug fixes

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM sorah/ruby:3.4-dev as builder
+FROM ghcr.io/sorah-rbpkg/ruby:3.4-dev as builder
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient-dev git-core \
@@ -10,13 +10,14 @@ COPY Gemfile.lock /app/
 COPY acmesmith.gemspec /app/
 RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/d' -e '/`git/d' acmesmith.gemspec
 
-RUN bundle install --path /gems --jobs 100 --without development
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+ && apt-get install -y --no-install-recommends libssl-dev
 
-FROM sorah/ruby:3.4
+RUN bundle install --path /gems --jobs 100 --without development
 
-#RUN apt-get update \
-#    && apt-get install -y libmysqlclient20 \
-#    && rm -rf /var/lib/apt/lists/*
+FROM ghcr.io/sorah-rbpkg/ruby:3.4
 
 WORKDIR /app
 COPY . /app/

data/README.md

@@ -1,6 +1,6 @@
 # Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
-![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)  <a href='https://ko-fi.com/J3J8CKMUU' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi3.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+[![ci](https://github.com/sorah/acmesmith/actions/workflows/build.yml/badge.svg?event=push)](https://github.com/sorah/acmesmith/actions/workflows/build.yml) <a href='https://ko-fi.com/J3J8CKMUU' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi3.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
 
 
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
@@ -42,7 +42,7 @@ docker run -v /path/to/acmesmith.yml:/app/acmesmith.yml:ro sorah/acmesmith:lates
 
 [`Dockerfile`](./Dockerfile) is available. Default confguration file is at `/app/acmesmith.yml`.
 
-Pre-built docker images are provided at https://hub.docker.com/r/sorah/acmesmith for your convenience
+Pre-built docker images are provided at https://ghcr.io/sorah/acmesmith for your convenience
 Built with GitHub Actions & [sorah-rbpkg/dockerfiles](https://github.com/sorah-rbpkg/dockerfiles).
 
 ## Usage
@@ -176,6 +176,28 @@ chain_preferences:
         - '\Aapp\d+.example.org\z'
 ```
 
+### Profiles
+
+Some ACME CAs support [certificate profiles](https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/) that allow selecting different certificate types (e.g., short-lived, classic). Use the `list-profiles` command to discover available profiles from your CA:
+
+```
+$ acmesmith list-profiles
+```
+
+To configure profile selection per domain, add `profiles` to your configuration. The first matching rule wins:
+
+```yaml
+profiles:
+  - name: "shortlived"
+    filter:
+      subject_name_suffix:
+        - .shortlived.example.com
+  - name: "classic"
+    # no filter = default/fallback
+```
+
+The `filter` block supports the same options as challenge responders: `subject_name_exact`, `subject_name_suffix`, and `subject_name_regexp`.
+
 ## Vendor dependent notes
 
 - [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips
@@ -195,7 +217,7 @@ bundle exec rspec
 integration test using [letsencrypt/pebble](https://github.com/letsencrypt/pebble). needs Docker:
 
 ```
-ACMESMITH_CI_START_PEBBLE=1 CI=1 bundle exec -t integration_pebble
+ACMESMITH_CI_START_PEBBLE=1 bundle exec rspec -t integration_pebble
 ```
 
 ## Writing plugins

data/config.sample.yml

@@ -38,6 +38,21 @@ challenge_responders:
   # Last resort
   - route53: {}
 
+###
+### Profiles (optional)
+###
+
+## ACME certificate profiles allow selecting different certificate types.
+## Use `acmesmith list-profiles` to discover available profiles.
+## First matching rule wins.
+# profiles:
+#   - name: "shortlived"
+#     filter:
+#       subject_name_suffix:
+#         - .shortlived.example.com
+#   - name: "classic"
+#     # no filter = default/fallback
+
 ###
 ### advanced options
 ###

data/docs/post_issuing_hooks/shell.md

@@ -1,17 +1,20 @@
 # Post Issuing Hook: Shell
 
-Execute specified command on a shell. Environment variable `${COMMON_NAME}` is available.
+Execute specified command on a shell. Environment variable `${CERT_NAME}` is available.
 
 ```yaml
 post_issuing_hooks:
   "test.example.com":
     - shell:
-        command: mail -s "New cert for ${COMMON_NAME} has been issued" user@example.com < /dev/null
+        command: mail -s "New cert for ${CERT_NAME} has been issued" user@example.com < /dev/null
     - shell:
-        command: touch /tmp/certs-has-been-issued-${COMMON_NAME}
+        command: touch /tmp/certs-has-been-issued-${CERT_NAME}
   "admin.example.com":
     - shell:
-        command: /usr/bin/dosomethingelse ${COMMON_NAME}
+        command: /usr/bin/dosomethingelse ${CERT_NAME}
 ```
 
+## What happened to `${COMMON_NAME}`?
 
+In modern CA behavior, certificates may be missing CN field, or entire subject field.
+It is still available, but we recommend to use `${CERT_NAME}` instead, which obtains a certificate name from certain sources.

data/lib/acmesmith/certificate.rb

@@ -17,10 +17,11 @@ module Acmesmith
     # Return Acmesmith::Certificate by an issued certificate
     # @param pem_chain [String]
     # @param csr [Acme::Client::CertificateRequest]
+    # @param name [String, nil]
     # @return [Acmesmith::Certificate]
-    def self.by_issuance(pem_chain, csr)
+    def self.by_issuance(pem_chain, csr, name: nil)
       pems = split_pems(pem_chain)
-      new(pems[0], pems[1..-1], csr.private_key, nil, csr)
+      new(pems[0], pems[1..-1], csr.private_key, nil, csr, name: name)
     end
 
     # @param certificate [OpenSSL::X509::Certificate, String]
@@ -28,7 +29,9 @@ module Acmesmith
     # @param private_key [String, OpenSSL::PKey::PKey]
     # @param key_passphrase [String, nil]
     # @param csr [String, OpenSSL::X509::Request, nil]
-    def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
+    # @param name [String, nil]
+    def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil, name: nil)
+      @name = name
       @certificate = case certificate
                      when OpenSSL::X509::Certificate
                        certificate
@@ -94,6 +97,8 @@ module Acmesmith
     # @return [OpenSSL::X509::Request]
     attr_reader :csr
 
+    attr_writer :name
+
     # Try to decrypt private_key if encrypted.
     # @param pw [String] passphrase for encrypted PEM
     # @raise [PrivateKeyDecrypted] if private_key is decrypted
@@ -128,18 +133,38 @@ module Acmesmith
       chain.map(&:to_pem).join("\n")
     end
 
-    # @return [String] common name
+    # Returns a predicted certificate name, taken from common name or first SAN.
+    # Note that this value can contain colons (':') if name is taken from non-DNS subject alternative name.
+    # @return [String] certificate name
+    def name
+      @name || common_name || sans.first || all_sans.first
+    end
+
+    # Returns a certificate common name taken from the certificate subject's CN field.
+    # Under the real CA, CNs can be missing. Use #name instead to retrieve the certificate name for most cases.
+    # ref. https://github.com/letsencrypt/pebble/pull/491#pullrequestreview-2718607820
+    # @return [String, nil] common name
     def common_name
-      certificate.subject.to_a.assoc('CN')[1]
+      certificate.subject.to_a.assoc('CN')&.fetch(1)
     end
 
-    # @return [Array<String>] Subject Alternative Names (dNSname)
-    def sans
+    # Returns a list of subject alternative names included in the certificate.
+    # @return [Array<String>] Subject Alternative Names
+    def all_sans
       certificate.extensions.select { |_| _.oid == 'subjectAltName' }.flat_map do |ext|
-        ext.value.split(/,\s*/).select { |_| _.start_with?('DNS:') }.map { |_| _[4..-1] }
+        ext.value.split(/,\s*/)
       end
     end
 
+    # Returns a list of DNS subject alternative names included in the certificate.
+    # Strips DNS: prefix from returned values.
+    # @return [Array<String>] Subject Alternative Names (dNSname)
+    def sans
+      all_sans.select do |san|
+        san.start_with?('DNS:')
+      end.map { |_| _[4..-1] }
+    end
+
     # @return [String] Version string (consists of NotBefore time & certificate serial)
     def version
       "#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
@@ -147,7 +172,7 @@ module Acmesmith
 
     # @return [OpenSSL::PKCS12]
     def pkcs12(passphrase)
-      OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate, chain)
+      OpenSSL::PKCS12.create(passphrase, name, private_key, certificate, chain)
     end
 
     # @return [CertificateExport]

data/lib/acmesmith/certificate_retrieving_service.rb

@@ -3,13 +3,13 @@ require 'acmesmith/certificate'
 module Acmesmith
   class CertificateRetrievingService
     # @param acme [Acme::Client]
-    # @param common_name [String]
+    # @param name [String]
     # @param url [String] ACME Certificate URL
     # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>]
-    def initialize(acme, common_name, url, chain_preferences: [])
+    def initialize(acme, name, url, chain_preferences: [])
       @acme = acme
       @url = url
-      @chain_preferences = chain_preferences.select { |_| _.filter.match?(common_name) }
+      @chain_preferences = chain_preferences.select { |_| _.filter.match?(name) }
     end
 
     attr_reader :acme

data/lib/acmesmith/challenge_responder_filter.rb

@@ -1,18 +1,14 @@
-require 'acmesmith/domain_name_filter'
+require 'acmesmith/subject_name_filter'
 
 module Acmesmith
   class ChallengeResponderFilter
-    def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
+    def initialize(responder, **filter)
       @responder = responder
-      @domain_name_filter = DomainNameFilter.new(
-        exact: subject_name_exact,
-        suffix: subject_name_suffix,
-        regexp: subject_name_regexp,
-      )
+      @subject_name_filter = SubjectNameFilter.new(**filter)
     end
 
     def applicable?(domain)
-      @domain_name_filter.match?(domain) && @responder.applicable?(domain)
+      @subject_name_filter.match?(domain) && @responder.applicable?(domain)
     end
   end
 end

data/lib/acmesmith/challenge_responders/pebble_challtestsrv_dns.rb

@@ -42,7 +42,7 @@ module Acmesmith
       end
 
       def warn_test
-        unless ENV['CI']
+        unless ENV['ACMESMITH_ACKNOWLEDGE_PEBBLE_CHALLTESTSRV_IS_INSECURE']
           $stderr.puts '!!!!!!!!! WARNING WARNING WARNING !!!!!!!!!'
           $stderr.puts '!!!! pebble-challtestsrv command is for TEST USAGE ONLY. It is trivially insecure, offering no authentication. Only use pebble-challtestsrv in a controlled test environment.'
           $stderr.puts '!!!! https://github.com/letsencrypt/pebble/blob/master/cmd/pebble-challtestsrv/README.md'

data/lib/acmesmith/client.rb

@@ -30,35 +30,39 @@ module Acmesmith
       raise NotImplementedError, "Domain authorization in advance is still not available in acme-client (v2). Required authorizations will be performed when ordering certificates"
     end
 
-    def post_issue_hooks(common_name)
-      cert = storage.get_certificate(common_name)
+    def list_profiles
+      acme.profiles
+    end
+
+    def post_issue_hooks(name)
+      cert = load_certificate_from_storage(name)
       execute_post_issue_hooks(cert)
     end
 
     def execute_post_issue_hooks(certificate)
-      hooks = config.post_issuing_hooks(certificate.common_name)
+      hooks = config.post_issuing_hooks(certificate.name)
       return if hooks.empty?
-      puts "=> Executing post issuing hooks for CN=#{certificate.common_name}"
+      puts "=> Executing post issuing hooks for CN=#{certificate.name}"
       hooks.each do |hook|
         hook.run(certificate: certificate)
       end
       puts
     end
 
-    def certificate_versions(common_name)
-      storage.list_certificate_versions(common_name).sort
+    def certificate_versions(name)
+      storage.list_certificate_versions(name).sort
     end
 
     def certificates_list
       storage.list_certificates.sort
     end
 
-    def current(common_name)
-      storage.get_current_certificate_version(common_name)
+    def current(name)
+      storage.get_current_certificate_version(name)
     end
 
-    def get_certificate(common_name, version: 'current', type: 'text')
-      cert = storage.get_certificate(common_name, version: version)
+    def get_certificate(name, version: 'current', type: 'text')
+      cert = storage.get_certificate(name, version: version)
 
       certs = []
       case type
@@ -76,8 +80,8 @@ module Acmesmith
       certs
     end
 
-    def save_certificate(common_name, version: 'current', mode: '0600', output:, type: 'fullchain')
-      cert = storage.get_certificate(common_name, version: version)
+    def save_certificate(name, version: 'current', mode: '0600', output:, type: 'fullchain')
+      cert = storage.get_certificate(name, version: version)
       File.open(output, 'w', mode.to_i(8)) do |f|
         case type
         when 'certificate'
@@ -90,23 +94,23 @@ module Acmesmith
       end
     end
 
-    def get_private_key(common_name, version: 'current')
-      cert = storage.get_certificate(common_name, version: version)
+    def get_private_key(name, version: 'current')
+      cert = storage.get_certificate(name, version: version)
       cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
 
       cert.private_key.to_pem
     end
 
-    def save_private_key(common_name, version: 'current', mode: '0600', output:)
-      cert = storage.get_certificate(common_name, version: version)
+    def save_private_key(name, version: 'current', mode: '0600', output:)
+      cert = storage.get_certificate(name, version: version)
       cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
       File.open(output, 'w', mode.to_i(8)) do |f|
         f.puts(cert.private_key)
       end
     end
 
-    def save_pkcs12(common_name, version: 'current', mode: '0600', output:, passphrase:)
-      cert = storage.get_certificate(common_name, version: version)
+    def save_pkcs12(name, version: 'current', mode: '0600', output:, passphrase:)
+      cert = storage.get_certificate(name, version: version)
       cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
       
       p12 = cert.pkcs12(passphrase)
@@ -115,17 +119,18 @@ module Acmesmith
       end
     end
 
-    def save(common_name, version: 'current', **kwargs)
-      cert = storage.get_certificate(common_name, version: version)
+    def save(name, version: 'current', **kwargs)
+      cert = storage.get_certificate(name, version: version)
       cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
 
       SaveCertificateService.new(cert, **kwargs).perform!
     end
 
-    def autorenew(days: 30, remaining_life: nil, common_names: nil)
-      (common_names || storage.list_certificates).each do |cn|
+    def autorenew(days: 30, remaining_life: nil, names: nil)
+      (names || storage.list_certificates).each do |cn|
         puts "=> #{cn}"
-        cert = storage.get_certificate(cn)
+        cert = load_certificate_from_storage(cn)
+
         not_after = cert.certificate.not_after.utc
 
         lifetime = cert.certificate.not_after.utc - cert.certificate.not_before.utc
@@ -139,17 +144,17 @@ module Acmesmith
         puts "   Not valid after: #{not_after} (lifetime=#{format_duration(lifetime+1)}, remaining=#{format_duration(remaining)}, #{"%0.2f" % (ratio.to_f*100)}%)"
         next unless has_to_renew
 
-        puts " * Renewing: CN=#{cert.common_name}, SANs=#{cert.sans.join(',')}"
-        order_with_private_key(cert.common_name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
+        puts " * Renewing: #{cert.name.inspect}, SANs=#{cert.sans.join(',')}"
+        order_with_private_key(cert.name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
       end
     end
 
-    def add_san(common_name, *add_sans)
-      puts "=> reissuing CN=#{common_name} with new SANs #{add_sans.join(?,)}"
-      cert = storage.get_certificate(common_name)
+    def add_san(name, *add_sans)
+      puts "=> reissuing #{name.inspect} with new SANs #{add_sans.join(?,)}"
+      cert = load_certificate_from_storage(name)
       sans = cert.sans + add_sans
       puts " * SANs will be: #{sans.join(?,)}"
-      order_with_private_key(cert.common_name, *sans, private_key: regenerate_private_key(cert.public_key))
+      order_with_private_key(cert.name, *sans, private_key: regenerate_private_key(cert.public_key))
     end
 
     private
@@ -212,13 +217,15 @@ module Acmesmith
       end
     end
 
-    def order_with_private_key(*identifiers, private_key:, not_before: nil, not_after: nil)
+    def order_with_private_key(name, *identifiers, private_key:, not_before: nil, not_after: nil)
       order = OrderingService.new(
         acme: acme,
-        identifiers: identifiers,
+        common_name: name,
+        identifiers: [name, *identifiers],
         private_key: private_key,
         challenge_responder_rules: config.challenge_responders,
         chain_preferences: config.chain_preferences,
+        profile_rules: config.profile_rules,
         not_before: not_before,
         not_after: not_after
       )
@@ -258,5 +265,12 @@ module Acmesmith
         raise ArgumentError, "Unknown key type: #{template.class}"
       end
     end
+
+    # Load certificate from storage, inherit name property to loaded certificate to ensure stability of #name during renewal.
+    def load_certificate_from_storage(name)
+      retval = storage.get_certificate(name)
+      retval.name = name
+      retval
+    end
   end
 end