acmesmith 2.8.0 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 252b913c94d04e35760101aedc61410f00bc59c806830f86d1348237c213700b
-  data.tar.gz: e494fc15b7bbdbc1b5b59dfcbb654d654c7908defa749106c8e37cd52d3d882e
+  metadata.gz: 5230018ae89aac8b573c6353b1f447b078538a2ac3211e4d626eeba429a2a5af
+  data.tar.gz: a5ee69e253291d3ce838f248fed18ae5a29a01bd2aea4895b582e34ceeae5c9a
 SHA512:
-  metadata.gz: 2b075a5fc9d32491774864c8035a6de3b3eb8dd03ccea006330f63cce4beac3c8ca4304b51d6b6d6bf406aacf196424c8dd7aaa7f772226240aa2b0138c40474
-  data.tar.gz: c209c626c45fa16f547ca0bea14271bb8c850592b5ef205a7c19269d5c7f0cb941101caaf75e9cdd510e46f5731723bf7cf73abf9878de95171ecd07aed0f5cc
+  metadata.gz: 27e82c020a219babe961f13db21bf72ee6c3084ce16ef023da4efbf494d004a91def0cc0f7c96316f9540249e51a888b803fdc48a82970ef319afebe4de08ada
+  data.tar.gz: ab4c2e3277e4af4cbbed7de6087c11c11ee4c0d741892a4da6ea458297fd726db87e49a0e73d32dff52111d61c4fdc60db04a775db70fcb2e06c05cf997f2454

data/CHANGELOG.md

@@ -1,3 +1,22 @@
+## [unreleased]
+
+## v2.9.0 (2026-03-14)
+
+### Enhancements
+
+- `acmesmith order` and configuration file gain `profiles` configuration to allow switching ACME profiles such as `shortlived` [#81](https://github.com/sorah/acmesmith/pull/81)
+
+  ```yaml
+  profiles:
+    - name: "shortlived"
+      filter:
+        subject_name_suffix: [".shortlived.example.invalid"]
+  ```
+
+### Changes
+
+- Prebuilt Docker images are no longer pushed to Dockerhub. Use GHCR instead: [ghcr.io/sorah/acmesmith](https://ghcr.io/sorah/acmesmith)
+
 ## v2.8.0 (2025-11-11)
 
 ### Enhancements
@@ -11,8 +30,8 @@
 
 ### Updates
 
-- Update gemspec to the latest bundler's provided template. This removes certain irrevant files from a released gem package. [#73](https://github.com/sorah/acmesmith/issues/73)
-- Use rubygems.org trusted publishing via GitHub Actions [#73](https://github.com/sorah/acmesmith/issues/73)
+- Update gemspec to the latest bundler's provided template. This removes certain irrevant files from a released gem package. [#75](https://github.com/sorah/acmesmith/issues/75)
+- Use rubygems.org trusted publishing via GitHub Actions [#75](https://github.com/sorah/acmesmith/issues/75)
 
 ## v2.7.1 (2025-08-21)
 

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM sorah/ruby:3.4-dev as builder
+FROM ghcr.io/sorah-rbpkg/ruby:3.4-dev as builder
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient-dev git-core \
@@ -10,13 +10,14 @@ COPY Gemfile.lock /app/
 COPY acmesmith.gemspec /app/
 RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/d' -e '/`git/d' acmesmith.gemspec
 
-RUN bundle install --path /gems --jobs 100 --without development
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update \
+ && apt-get install -y --no-install-recommends libssl-dev
 
-FROM sorah/ruby:3.4
+RUN bundle install --path /gems --jobs 100 --without development
 
-#RUN apt-get update \
-#    && apt-get install -y libmysqlclient20 \
-#    && rm -rf /var/lib/apt/lists/*
+FROM ghcr.io/sorah-rbpkg/ruby:3.4
 
 WORKDIR /app
 COPY . /app/

data/README.md

@@ -42,7 +42,7 @@ docker run -v /path/to/acmesmith.yml:/app/acmesmith.yml:ro sorah/acmesmith:lates
 
 [`Dockerfile`](./Dockerfile) is available. Default confguration file is at `/app/acmesmith.yml`.
 
-Pre-built docker images are provided at https://hub.docker.com/r/sorah/acmesmith for your convenience
+Pre-built docker images are provided at https://ghcr.io/sorah/acmesmith for your convenience
 Built with GitHub Actions & [sorah-rbpkg/dockerfiles](https://github.com/sorah-rbpkg/dockerfiles).
 
 ## Usage
@@ -176,6 +176,28 @@ chain_preferences:
         - '\Aapp\d+.example.org\z'
 ```
 
+### Profiles
+
+Some ACME CAs support [certificate profiles](https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/) that allow selecting different certificate types (e.g., short-lived, classic). Use the `list-profiles` command to discover available profiles from your CA:
+
+```
+$ acmesmith list-profiles
+```
+
+To configure profile selection per domain, add `profiles` to your configuration. The first matching rule wins:
+
+```yaml
+profiles:
+  - name: "shortlived"
+    filter:
+      subject_name_suffix:
+        - .shortlived.example.com
+  - name: "classic"
+    # no filter = default/fallback
+```
+
+The `filter` block supports the same options as challenge responders: `subject_name_exact`, `subject_name_suffix`, and `subject_name_regexp`.
+
 ## Vendor dependent notes
 
 - [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips
@@ -195,7 +217,7 @@ bundle exec rspec
 integration test using [letsencrypt/pebble](https://github.com/letsencrypt/pebble). needs Docker:
 
 ```
-ACMESMITH_CI_START_PEBBLE=1 CI=1 bundle exec -t integration_pebble
+ACMESMITH_CI_START_PEBBLE=1 bundle exec rspec -t integration_pebble
 ```
 
 ## Writing plugins

data/config.sample.yml

@@ -38,6 +38,21 @@ challenge_responders:
   # Last resort
   - route53: {}
 
+###
+### Profiles (optional)
+###
+
+## ACME certificate profiles allow selecting different certificate types.
+## Use `acmesmith list-profiles` to discover available profiles.
+## First matching rule wins.
+# profiles:
+#   - name: "shortlived"
+#     filter:
+#       subject_name_suffix:
+#         - .shortlived.example.com
+#   - name: "classic"
+#     # no filter = default/fallback
+
 ###
 ### advanced options
 ###

data/lib/acmesmith/challenge_responder_filter.rb

@@ -1,18 +1,14 @@
-require 'acmesmith/domain_name_filter'
+require 'acmesmith/subject_name_filter'
 
 module Acmesmith
   class ChallengeResponderFilter
-    def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
+    def initialize(responder, **filter)
       @responder = responder
-      @domain_name_filter = DomainNameFilter.new(
-        exact: subject_name_exact,
-        suffix: subject_name_suffix,
-        regexp: subject_name_regexp,
-      )
+      @subject_name_filter = SubjectNameFilter.new(**filter)
     end
 
     def applicable?(domain)
-      @domain_name_filter.match?(domain) && @responder.applicable?(domain)
+      @subject_name_filter.match?(domain) && @responder.applicable?(domain)
     end
   end
 end

data/lib/acmesmith/challenge_responders/pebble_challtestsrv_dns.rb

@@ -42,7 +42,7 @@ module Acmesmith
       end
 
       def warn_test
-        unless ENV['CI']
+        unless ENV['ACMESMITH_ACKNOWLEDGE_PEBBLE_CHALLTESTSRV_IS_INSECURE']
           $stderr.puts '!!!!!!!!! WARNING WARNING WARNING !!!!!!!!!'
           $stderr.puts '!!!! pebble-challtestsrv command is for TEST USAGE ONLY. It is trivially insecure, offering no authentication. Only use pebble-challtestsrv in a controlled test environment.'
           $stderr.puts '!!!! https://github.com/letsencrypt/pebble/blob/master/cmd/pebble-challtestsrv/README.md'

data/lib/acmesmith/client.rb

@@ -30,6 +30,10 @@ module Acmesmith
       raise NotImplementedError, "Domain authorization in advance is still not available in acme-client (v2). Required authorizations will be performed when ordering certificates"
     end
 
+    def list_profiles
+      acme.profiles
+    end
+
     def post_issue_hooks(name)
       cert = load_certificate_from_storage(name)
       execute_post_issue_hooks(cert)
@@ -221,6 +225,7 @@ module Acmesmith
         private_key: private_key,
         challenge_responder_rules: config.challenge_responders,
         chain_preferences: config.chain_preferences,
+        profile_rules: config.profile_rules,
         not_before: not_before,
         not_after: not_after
       )

data/lib/acmesmith/command.rb

@@ -54,6 +54,19 @@ module Acmesmith
     end
     map 'post-issue-hooks' => :post_issue_hooks
 
+    desc "list-profiles", "List available ACME certificate profiles"
+    def list_profiles
+      profiles = client.list_profiles
+      if profiles.nil? || profiles.empty?
+        puts "No profiles available from this ACME directory"
+        return
+      end
+      profiles.each do |name, description|
+        puts "#{name}: #{description}"
+      end
+    end
+    map 'list-profiles' => :list_profiles
+
     desc "list [NAME]", "list certificates or its versions"
     def list(name = nil)
       if name

data/lib/acmesmith/config.rb

@@ -2,6 +2,7 @@ require 'yaml'
 require 'acmesmith/storages'
 require 'acmesmith/challenge_responders'
 require 'acmesmith/challenge_responder_filter'
+require 'acmesmith/subject_name_filter'
 require 'acmesmith/domain_name_filter'
 require 'acmesmith/post_issuing_hooks'
 
@@ -9,6 +10,7 @@ module Acmesmith
   class Config
     ChallengeResponderRule = Struct.new(:challenge_responder, :filter, keyword_init: true)
     ChainPreference = Struct.new(:root_issuer_name, :root_issuer_key_id, :filter, keyword_init: true)
+    ProfileRule = Data.define(:name, :filter)
 
     def self.load_yaml(path)
       new YAML.load_file(path)
@@ -35,6 +37,10 @@ module Acmesmith
       if @config.key?('chain_preferences') && !@config.fetch('chain_preferences').kind_of?(Array)
         raise ArgumentError, "config['chain_preferences'] must be an Array"
       end
+
+      if @config.key?('profiles') && !@config.fetch('profiles').kind_of?(Array)
+        raise ArgumentError, "config['profiles'] must be an Array"
+      end
     end
 
     def [](key)
@@ -124,6 +130,16 @@ module Acmesmith
       end
     end
 
+    def profile_rules
+      @profile_rules ||= begin
+        specs = @config['profiles'] || []
+        specs.map do |spec|
+          filter = spec.fetch('filter', {}).map { |k,v| [k.to_sym, v] }.to_h
+          ProfileRule.new(name: spec['name'], filter: SubjectNameFilter.new(**filter))
+        end
+      end
+    end
+
     # def post_actions
     # end
   end

data/lib/acmesmith/ordering_service.rb

@@ -14,18 +14,21 @@ module Acmesmith
     # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, common_name:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
+    def initialize(acme:, common_name:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, profile_rules: [], not_before: nil, not_after: nil)
       @acme = acme
       @common_name = common_name
       @identifiers = identifiers
       @private_key = private_key
       @challenge_responder_rules = challenge_responder_rules
       @chain_preferences = chain_preferences
+      @profile_rules = profile_rules
       @not_before = not_before
       @not_after = not_after
+
+      @order_url = nil # https://github.com/unixcharles/acme-client/pull/263
     end
 
-    attr_reader :acme, :common_name, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
+    attr_reader :acme, :common_name, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :profile_rules, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -35,9 +38,15 @@ module Acmesmith
         puts " * SAN: #{san}"
       end
 
+      resolved_profile = profile
+      if resolved_profile
+        puts
+        puts " * Profile: #{resolved_profile}"
+      end
+
       puts
       puts "=> Placing an order"
-      @order = acme.new_order(identifiers: identifiers, not_before: not_before, not_after: not_after)
+      @order = acme.new_order(identifiers: identifiers, not_before: not_before, not_after: not_after, profile: resolved_profile)
       puts " * URL: #{order.url}"
 
       ensure_authorization()
@@ -72,12 +81,16 @@ module Acmesmith
       puts
 
       print " * Requesting..."
+      @order_url = order.url if defined?(Acme::Client::Error::OrderNotReloadable)
       order.finalize(csr: csr)
       puts" [ ok ]"
     end
 
     def wait_order_for_complete
+      # Workaround for https://github.com/unixcharles/acme-client/pull/263
+
       while %w(ready processing).include?(order.status)
+        order.instance_variable_set(:@url, @order_url) if @order_url
         order.reload()
         puts " * Waiting for complete: status=#{order.status}"
         sleep 2
@@ -104,6 +117,10 @@ module Acmesmith
       identifiers[1..-1]
     end
 
+    def profile
+      profile_rules.find { |rule| rule.filter.match?(common_name) }&.name
+    end
+
     # @return [Acme::Client::CertificateRequest]
     def csr
       @csr ||= Acme::Client::CertificateRequest.new(subject: { common_name: common_name }, names: sans, private_key: private_key)

data/lib/acmesmith/subject_name_filter.rb

@@ -0,0 +1,17 @@
+require 'acmesmith/domain_name_filter'
+
+module Acmesmith
+  class SubjectNameFilter
+    def initialize(subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
+      @domain_name_filter = DomainNameFilter.new(
+        exact: subject_name_exact,
+        suffix: subject_name_suffix,
+        regexp: subject_name_regexp,
+      )
+    end
+
+    def match?(domain)
+      @domain_name_filter.match?(domain)
+    end
+  end
+end

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.8.0"
+  VERSION = "2.9.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Sorah Fukumori
@@ -183,6 +183,7 @@ files:
 - lib/acmesmith/storages/base.rb
 - lib/acmesmith/storages/filesystem.rb
 - lib/acmesmith/storages/s3.rb
+- lib/acmesmith/subject_name_filter.rb
 - lib/acmesmith/utils/finder.rb
 - lib/acmesmith/version.rb
 homepage: https://github.com/sorah/acmesmith
@@ -206,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server
   environment with cloud services (e.g. AWS)