letsencrypt-rails-heroku 1.2.0 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c3f97585c884a70e519fdc84a79276ab7abb845e
-  data.tar.gz: 04ecb09cedcc720fbfb2eb87175f68165eab842f
+SHA256:
+  metadata.gz: 5f589e4dde9bc04d66b094ae2d1fd43a34b87c3224c616e98bd3a7c08facfbca
+  data.tar.gz: 0b28b8ce30bee194a6df29900c84c086338fd70eb40fa8e2680f6ebbe1f63616
 SHA512:
-  metadata.gz: 9b52c79ddaf3970f102d6c24b4baa210fb78ec162a83e44ee1cf858dbdfd5acef0498d5a0e2f8050d83442b6abecc1d34f39753bd8ef8643083138ecd4729208
-  data.tar.gz: c9d16e37682bfd2649b9e5a42aa587e574e31fc9aff5f6e4454bcf41092931998ebe3bd2362c7f6c37ffc2b7690483035a2b12fba462a641e04f549b6a6edade
+  metadata.gz: af35ed069d85e13ffebc88a94fa341056658050bf542812492735b48b49654d0f21c0d28820c3875f2af658d68db2e0495a8ef8b93579d1be75aa503ba6e72df
+  data.tar.gz: 1fd670635000f7dd4585a2b87155cd7799169f4a72aa6dc3b4ac20c9ed266ea43d25750283f49a43d6d1eaec32dccd100b42ab461bb2130751bffdd3bbf15b85

data/CHANGELOG.md

@@ -1,3 +1,54 @@
+# 2.0.3
+
+ - Raise an error when the HTTP challenge is nil (#71). Thanks
+   [@mashedkeyboard](https://github.com/mashedkeyboard)!
+ - Return the response body on a 403 Forbidden from Heroku, not that it's
+   that useful.
+ - Relax `platform-api` version requirements, as it works OK with v3 too.
+
+# 2.0.2
+
+ - Include OpenSSL::SSL::SSLError as a valid error we retry for when waiting
+   for the app to come back up.
+
+# 2.0.1
+
+ - Fixed a typo that broke renewals with existing certificates.
+
+# 2.0.0 
+
+Thanks to [@mashedkeyboard](https://github.com/mashedkeyboard) for their
+work on ACME v2, saving registration, and DNS-based validation.
+
+ - *BREAKING* You must indicate your acceptance of Let's Encrypt's terms
+   and conditions by setting the `ACME_TERMS_AGREED` configuration variable.
+ - *BREAKING* Removed `ACME_ENDPOINT` environment variable reference. We never
+   documented that we support alternative endpoints, and we never tested it,
+   and the gem is called *letsencrypt*-rails-heroku, so let's not pretend.
+   Please get in touch if you were using this configuration variable, we'd
+   like to hear from you! Psst; you can still set `acme_directory` when
+   configuring the gem in an initializer.
+ - Use version 2 of the ACME API, paving the way for DNS validation.
+ - Save private key & key ID variables after registering with Let's Encrypt.
+   This will create two new permanent environment variables, `ACME_PRIVATE_KEY`
+   and `ACME_KEY_ID`.
+
+# 1.2.1
+
+ - Update `rack` and `nokogiri` dependencies due to reported vulnerabilities
+   in those libraries. Note that these don't affect letsencrypt-rails-heroku
+   directly.
+   [CVE-2018-16471](https://nvd.nist.gov/vuln/detail/CVE-2018-16471),
+   [CVE-2016-4658](https://nvd.nist.gov/vuln/detail/CVE-2016-4658),
+   [CVE-2017-5029](https://nvd.nist.gov/vuln/detail/CVE-2017-5029),
+   [CVE-2018-14404](https://nvd.nist.gov/vuln/detail/CVE-2018-14404),
+   [CVE-2017-18258](https://nvd.nist.gov/vuln/detail/CVE-2017-18258),
+   [CVE-2017-9050](https://nvd.nist.gov/vuln/detail/CVE-2017-9050).
+
+ - Stop using [jalada/platform-api](https://github.com/jalada/platform-api) 
+   because the newer version of the official version supports the API endpoints
+   we need now.
+
 # 1.2.0
 
  - Support SSL Endpoint configuration, as well as the default SNI.

data/Gemfile

@@ -1,9 +1,7 @@
 source "https://rubygems.org"
 
-gem 'acme-client', '~> 0.4.0'
-# SNI endpoints not supported yet:
-# <https://github.com/heroku/platform-api/issues/49>
-gem 'platform-api', github: 'jalada/platform-api', branch: 'master'
+gem 'acme-client', '~> 2.0'
+gem 'platform-api', '>= 2.2', '< 4'
 
 group :development do
   gem "shoulda", ">= 0"

data/Gemfile.lock

@@ -1,48 +1,43 @@
-GIT
-  remote: git://github.com/jalada/platform-api.git
-  revision: 45ddb3c1a7e2c7f85d979c0791db18e99affb237
-  branch: master
-  specs:
-    platform-api (0.8.0)
-      heroics (~> 0.0.17)
-
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (0.4.1)
-      faraday (~> 0.9, >= 0.9.1)
-    activesupport (5.0.0)
+    acme-client (2.0.7)
+      faraday (>= 0.17, < 2.0.0)
+    activesupport (6.0.3.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    addressable (2.4.0)
-    builder (3.2.2)
-    concurrent-ruby (1.0.2)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    builder (3.2.4)
+    concurrent-ruby (1.1.7)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    docile (1.1.5)
+    docile (1.3.2)
     erubis (2.7.0)
-    excon (0.51.0)
-    faraday (0.9.2)
+    excon (0.76.0)
+    faraday (1.0.1)
       multipart-post (>= 1.2, < 3)
-    git (1.3.0)
-    github_api (0.14.5)
-      addressable (~> 2.4.0)
+    git (1.7.0)
+      rchardet (~> 1.8)
+    github_api (0.19.0)
+      addressable (~> 2.4)
       descendants_tracker (~> 0.0.4)
-      faraday (~> 0.8, < 0.10)
-      hashie (>= 3.4)
+      faraday (>= 0.8, < 2)
+      hashie (~> 3.5, >= 3.5.2)
       oauth2 (~> 1.0)
-    hashie (3.4.6)
-    heroics (0.0.17)
+    hashie (3.6.0)
+    heroics (0.1.1)
       erubis (~> 2.0)
       excon
       moneta
       multi_json (>= 1.9.2)
-      netrc
-    highline (1.7.8)
-    i18n (0.7.0)
-    json (1.8.3)
+    highline (2.0.3)
+    i18n (1.8.5)
+      concurrent-ruby (~> 1.0)
+    json (1.8.6)
     juwelier (2.1.3)
       builder
       bundler (>= 1.13)
@@ -53,53 +48,59 @@ GEM
       rake
       rdoc
       semver
-    jwt (1.5.6)
-    mini_portile2 (2.1.0)
-    minitest (5.9.0)
-    moneta (0.8.0)
-    multi_json (1.12.1)
+    jwt (2.2.2)
+    mini_portile2 (2.4.0)
+    minitest (5.14.2)
+    moneta (1.0.0)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    netrc (0.11.0)
-    nokogiri (1.6.8.1)
-      mini_portile2 (~> 2.1.0)
-    oauth2 (1.2.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0)
+    multipart-post (2.1.1)
+    nokogiri (1.10.10)
+      mini_portile2 (~> 2.4.0)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    rack (2.0.1)
-    rake (12.0.0)
+    platform-api (3.0.0)
+      heroics (~> 0.1.1)
+      moneta (~> 1.0.0)
+      rate_throttle_client (~> 0.1.0)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rake (13.0.1)
+    rate_throttle_client (0.1.2)
+    rchardet (1.8.0)
     rdoc (3.12.2)
       json (~> 1.4)
     semver (1.0.1)
-    shoulda (3.5.0)
-      shoulda-context (~> 1.0, >= 1.0.1)
-      shoulda-matchers (>= 1.4.1, < 3.0)
-    shoulda-context (1.2.1)
-    shoulda-matchers (2.8.0)
-      activesupport (>= 3.0.0)
-    simplecov (0.12.0)
-      docile (~> 1.1.0)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.0)
-    thread_safe (0.3.5)
-    tzinfo (1.2.2)
+    shoulda (4.0.0)
+      shoulda-context (~> 2.0)
+      shoulda-matchers (~> 4.0)
+    shoulda-context (2.0.0)
+    shoulda-matchers (4.4.1)
+      activesupport (>= 4.2.0)
+    simplecov (0.19.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  acme-client (~> 0.4.0)
+  acme-client (~> 2.0)
   bundler (~> 1.0)
   juwelier (~> 2.1.0)
-  platform-api!
+  platform-api (>= 2.2, < 4)
   rdoc (~> 3.12)
   shoulda
   simplecov
 
 BUNDLED WITH
-   1.13.6
+   1.17.3

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2016 Pixie Labs
+Copyright (c) 2020 Pixie Labs
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,5 +1,8 @@
 # LetsEncrypt & Rails & Heroku
 
+### Deprecated: Heroku now support [free automated SSL certificates for paid dynos](https://devcenter.heroku.com/articles/automated-certificate-management), you should use that instead of this gem unless your situation is covered by the [known limitations](https://devcenter.heroku.com/articles/automated-certificate-management#known-limitations) of ACM, e.g. your app runs in Heroku Private Spaces.
+
+
 [![Gem Version](https://badge.fury.io/rb/letsencrypt-rails-heroku.svg)](https://badge.fury.io/rb/letsencrypt-rails-heroku)
 
 This gem is a complete solution for securing your Ruby on Rails application
@@ -14,7 +17,9 @@ repository.
 
 ## Requirements
 
- - You must be using hobby or professional dynos to use free SNI-based SSL. Find out more on [Heroku's documentation page about SSL](https://devcenter.heroku.com/articles/ssl).
+ - You must be using hobby or professional dynos to use free SNI-based SSL.
+   Find out more on [Heroku's documentation page about
+   SSL](https://devcenter.heroku.com/articles/ssl).
 
  - You should have already configured your app DNS as per [Heroku's
    documentation](https://devcenter.heroku.com/articles/custom-domains).
@@ -24,10 +29,6 @@ repository.
 Add the gem to your Gemfile:
 
 ```
-# Until the new API calls are generally available, you must manually specify my fork
-# of the Heroku API gem:
-gem 'platform-api', git: 'https://github.com/jalada/platform-api', branch: 'master'
-
 gem 'letsencrypt-rails-heroku', group: 'production'
 ```
 
@@ -60,19 +61,24 @@ end
 
 ## Configuring
 
-By default the gem will try to use the following set of configuration variables,
-which you should set.
+By default the gem will try to use the following set of configuration
+variables. You must set:
+
+ * `ACME_EMAIL`: Your email address, should be valid.
+ * `ACME_TERMS_AGREED`: Existence of this environment variable represents your
+   agreement to [Let's Encrypt's terms of service](https://letsencrypt.org/repository/).
+ * `HEROKU_TOKEN`: An API token for this app. See below
+ * `HEROKU_APP`: Name of Heroku app e.g. bottomless-cavern-7173
+
+You can also set:
 
  * `ACME_DOMAIN`: Comma separated list of domains for which you want
    certificates, e.g. `example.com,www.example.com`. Your Heroku app should be
-   configured to answer to all these domains, because LetsEncrypt will make a
+   configured to answer to all these domains, because Let's Encrypt will make a
    request to verify ownership.
 
    If you leave this blank, the gem will try and use the Heroku API to get a 
    list of configured domains for your app, and verify all of them.
- * `ACME_EMAIL`: Your email address, should be valid.
- * `HEROKU_TOKEN`: An API token for this app. See below
- * `HEROKU_APP`: Name of Heroku app e.g. bottomless-cavern-7173
  * `SSL_TYPE`: Optional: One of `sni` or `endpoint`, defaults to `sni`.
    `endpoint` requires your app to have an
    [SSL endpoint addon](https://elements.heroku.com/addons/ssl) configured.
@@ -83,6 +89,14 @@ the challenge / validation process:
  * `ACME_CHALLENGE_FILENAME`: The path of the file LetsEncrypt will request.
  * `ACME_CHALLENGE_FILE_CONTENT`: The content of that challenge file.
 
+It will also create two permanent environment variables after the first run:
+
+ * `ACME_PRIVATE_KEY`: Private key used to create requests for certificates.
+ * `ACME_KEY_ID`: Key ID assigned to your private key by Let's Encrypt.
+
+If you remove these, a new account will be created and new environment
+variables will be set.
+
 ## Creating a Heroku token
 
 Use the `heroku-oauth` toolbelt plugin to generate an access token suitable
@@ -126,10 +140,13 @@ You can see these details by typing `heroku domains`.
 
 ## Adding a scheduled task
 
-You should add a scheduled task on Heroku to renew the certificate. The
-scheduled task should be configured to run `rake letsencrypt:renew` as often
-as you want to renew your certificate. Letsencrypt certificates are valid for
-90 days, but there's no harm renewing them more frequently than that.
+You should add a scheduled task on Heroku to renew the certificate. If you 
+are unfamiliar with how to do this, take a look at [Heroku's documentation
+on their scheduler addon](https://devcenter.heroku.com/articles/scheduler).
+
+The scheduled task should be configured to run `rake letsencrypt:renew` as
+often as you want to renew your certificate. Letsencrypt certificates are valid
+for 90 days, but there's no harm renewing them more frequently than that.
 
 Heroku Scheduler only lets you run a task as infrequently as once a day, but
 you don't want to renew your SSL certificate every day (you will hit
@@ -138,7 +155,7 @@ run less frequently using a shell control statement. For example to renew your
 certificate on the 1st day of every month:
 
 ```
-if [ "$(date +%d)" = 01 ]; then rake letsencrypt:renew; fi
+if [ "$(date +%d)" = 01 ]; then bundle exec rake letsencrypt:renew; fi
 ```
 
 Source: [blog.dbrgn.ch](https://blog.dbrgn.ch/2013/10/4/heroku-schedule-weekly-monthly-tasks/)
@@ -148,12 +165,13 @@ Source: [blog.dbrgn.ch](https://blog.dbrgn.ch/2013/10/4/heroku-schedule-weekly-m
 Suggestions and pull requests are welcome in improving the situation with the
 following security considerations:
 
- - When configuring this gem you must add a non-expiring Heroku API token
-   into your application environment. Your collaborators could use this
-   token to impersonate the account it was created with when accessing
-   the Heroku API. This is important if your account has access to other apps
-   that your collaborators don’t. Additionally, if your application environment was
-   leaked this would give the attacker access to the Heroku API as your user account. 
+ - When configuring this gem you must add a non-expiring Heroku API token into
+   your application environment. Your collaborators could use this token to
+   impersonate the account it was created with when accessing the Heroku API.
+   This is important if your account has access to other apps that your
+   collaborators don’t. Additionally, if your application environment was
+   leaked this would give the attacker access to the Heroku API as your user
+   account. 
    [More information about Heroku’s API and oAuth](https://devcenter.heroku.com/articles/oauth#direct-authorization).
 
    You should create the API token from a suitably locked-down account.
@@ -170,17 +188,17 @@ following security considerations:
 
 ### Common name invalid errors (security certificate is from *.herokuapp.com)
 
-Your domain is still configured as a CNAME or ALIAS to `your-app.herokuapp.com`. Check the output of `heroku domains` matches your DNS configuration. When you add an SNI cert to an app for the first time [the DNS target changes](https://devcenter.heroku.com/articles/custom-domains#view-existing-domains).
+Your domain is still configured as a CNAME or ALIAS to
+`your-app.herokuapp.com`. Check the output of `heroku domains` matches your DNS
+configuration. When you add an SNI cert to an app for the first time
+[the DNS target changes](https://devcenter.heroku.com/articles/custom-domains#view-existing-domains).
 
 ## To-do list
 
 - Persist account key, or at least give the option of using an existing one, so
   we don’t register with LetsEncrypt over and over.
 
-- Stop using a fork of the `platform-api` gem once it supports the SNI endpoint
-  API calls. [See issue #49 of the platform-api gem](https://github.com/heroku/platform-api/issues/49).
-
-- Provide instructions for running the gem decoupled from the app it is 
+- Provide instructions for running the gem decoupled from the app it is
   securing, for the paranoid.
 
 ## Contributing
@@ -202,4 +220,5 @@ Your domain is still configured as a CNAME or ALIAS to `your-app.herokuapp.com`.
 
 1. Bump the version: `rake version:bump:{major,minor,patch}`.
 2. Update `CHANGELOG.md` & commit.
-3. Use `rake release` to regenerate gemspec, push a tag to git, and push a new `.gem` to rubygems.org
+3. Use `rake release` to regenerate gemspec, push a tag to git, and push a new
+   `.gem` to rubygems.org.

data/VERSION

@@ -1 +1 @@
-1.2.0
+2.0.3

data/letsencrypt-rails-heroku.gemspec

@@ -2,19 +2,20 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: letsencrypt-rails-heroku 1.2.0 ruby lib
+# stub: letsencrypt-rails-heroku 2.0.3 ruby lib
 
 Gem::Specification.new do |s|
-  s.name = "letsencrypt-rails-heroku"
-  s.version = "1.2.0"
+  s.name = "letsencrypt-rails-heroku".freeze
+  s.version = "2.0.3"
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib"]
-  s.authors = ["Pixie Labs", "David Somers", "Abigail McPhillips"]
-  s.date = "2017-03-03"
-  s.description = "This gem automatically handles creation, renewal, and applying SSL certificates from LetsEncrypt to your Heroku account."
-  s.email = "team@pixielabs.io"
+  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib".freeze]
+  s.authors = ["Pixie Labs".freeze, "David Somers".freeze, "Abigail McPhillips".freeze]
+  s.date = "2020-10-07"
+  s.description = "This gem automatically handles creation, renewal, and applying SSL certificates from LetsEncrypt to your Heroku account.".freeze
+  s.email = "team@pixielabs.io".freeze
   s.extra_rdoc_files = [
+    "CHANGELOG.md",
     "LICENSE.txt",
     "README.md"
   ]
@@ -35,39 +36,39 @@ Gem::Specification.new do |s|
     "lib/letsencrypt-rails-heroku/railtie.rb",
     "lib/tasks/letsencrypt.rake"
   ]
-  s.homepage = "https://github.com/pixielabs/letsencrypt-rails-heroku"
-  s.licenses = ["MIT"]
-  s.rubygems_version = "2.5.1"
-  s.summary = "Automatic LetsEncrypt certificates in your Rails app on Heroku"
+  s.homepage = "https://github.com/pixielabs/letsencrypt-rails-heroku".freeze
+  s.licenses = ["MIT".freeze]
+  s.rubygems_version = "3.0.6".freeze
+  s.summary = "Automatic LetsEncrypt certificates in your Rails app on Heroku".freeze
 
   if s.respond_to? :specification_version then
     s.specification_version = 4
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<acme-client>, ["~> 0.4.0"])
-      s.add_runtime_dependency(%q<platform-api>, [">= 0"])
-      s.add_development_dependency(%q<shoulda>, [">= 0"])
-      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
-      s.add_development_dependency(%q<bundler>, ["~> 1.0"])
-      s.add_development_dependency(%q<juwelier>, ["~> 2.1.0"])
-      s.add_development_dependency(%q<simplecov>, [">= 0"])
+      s.add_runtime_dependency(%q<acme-client>.freeze, ["~> 2.0"])
+      s.add_runtime_dependency(%q<platform-api>.freeze, [">= 2.2", "< 4"])
+      s.add_development_dependency(%q<shoulda>.freeze, [">= 0"])
+      s.add_development_dependency(%q<rdoc>.freeze, ["~> 3.12"])
+      s.add_development_dependency(%q<bundler>.freeze, ["~> 1.0"])
+      s.add_development_dependency(%q<juwelier>.freeze, ["~> 2.1.0"])
+      s.add_development_dependency(%q<simplecov>.freeze, [">= 0"])
     else
-      s.add_dependency(%q<acme-client>, ["~> 0.4.0"])
-      s.add_dependency(%q<platform-api>, [">= 0"])
-      s.add_dependency(%q<shoulda>, [">= 0"])
-      s.add_dependency(%q<rdoc>, ["~> 3.12"])
-      s.add_dependency(%q<bundler>, ["~> 1.0"])
-      s.add_dependency(%q<juwelier>, ["~> 2.1.0"])
-      s.add_dependency(%q<simplecov>, [">= 0"])
+      s.add_dependency(%q<acme-client>.freeze, ["~> 2.0"])
+      s.add_dependency(%q<platform-api>.freeze, [">= 2.2", "< 4"])
+      s.add_dependency(%q<shoulda>.freeze, [">= 0"])
+      s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
+      s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
+      s.add_dependency(%q<juwelier>.freeze, ["~> 2.1.0"])
+      s.add_dependency(%q<simplecov>.freeze, [">= 0"])
     end
   else
-    s.add_dependency(%q<acme-client>, ["~> 0.4.0"])
-    s.add_dependency(%q<platform-api>, [">= 0"])
-    s.add_dependency(%q<shoulda>, [">= 0"])
-    s.add_dependency(%q<rdoc>, ["~> 3.12"])
-    s.add_dependency(%q<bundler>, ["~> 1.0"])
-    s.add_dependency(%q<juwelier>, ["~> 2.1.0"])
-    s.add_dependency(%q<simplecov>, [">= 0"])
+    s.add_dependency(%q<acme-client>.freeze, ["~> 2.0"])
+    s.add_dependency(%q<platform-api>.freeze, [">= 2.2", "< 4"])
+    s.add_dependency(%q<shoulda>.freeze, [">= 0"])
+    s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
+    s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
+    s.add_dependency(%q<juwelier>.freeze, ["~> 2.1.0"])
+    s.add_dependency(%q<simplecov>.freeze, [">= 0"])
   end
 end
 

data/lib/letsencrypt-rails-heroku/exceptions.rb

@@ -1,12 +1,18 @@
 module Letsencrypt
   module Error
-    # Exception raised when LetsEncrypt encounters an issue verifying the challenge.
+    # LetsEncrypt encountered an issue verifying the challenge.
     class VerificationError < StandardError; end
-    # Exception raised when challenge URL is not available.
+    # LetsEncrypt encountered an issue finalizing the order.
+    class FinalizationError < StandardError; end
+    # Challenge URL is not available.
     class ChallengeUrlError < StandardError; end
-    # Exception raised on timeout of challenge verification.
+    # Domain verification took longer than we'd like.
     class VerificationTimeoutError < StandardError; end
-    # Exception raised when an error occurs adding the certificate to Heroku.
+    # Order finalization took longer than we'd like.
+    class FinalizationTimeoutError < StandardError; end
+    # Error adding the certificate to Heroku.
     class HerokuCertificateError < StandardError; end
+    # No HTTP challenge available from certificate provider.
+    class NoHTTPChallengeError < StandardError; end
   end
 end

data/lib/letsencrypt-rails-heroku/letsencrypt.rb

@@ -14,26 +14,36 @@ module Letsencrypt
       configuration.acme_challenge_file_content
   end
 
+  def self.registered?
+    configuration.acme_private_key && configuration.acme_key_id
+  end
+
   class Configuration
     attr_accessor :heroku_token, :heroku_app, :acme_email, :acme_domain,
-      :acme_endpoint, :ssl_type
+      :acme_directory, :ssl_type, :acme_terms_agreed
     
     # Not settable by user; part of the gem's behaviour.
-    attr_reader :acme_challenge_filename, :acme_challenge_file_content
+    attr_reader :acme_challenge_filename, :acme_challenge_file_content,
+      :acme_private_key, :acme_key_id
 
     def initialize
       @heroku_token = ENV["HEROKU_TOKEN"]
       @heroku_app = ENV["HEROKU_APP"]
       @acme_email = ENV["ACME_EMAIL"]
       @acme_domain = ENV["ACME_DOMAIN"]
-      @acme_endpoint = ENV["ACME_ENDPOINT"] || 'https://acme-v01.api.letsencrypt.org/'
+      @acme_directory = 'https://acme-v02.api.letsencrypt.org/directory'
+      @acme_terms_agreed = ENV["ACME_TERMS_AGREED"]
       @ssl_type = ENV["SSL_TYPE"] || 'sni'
+
       @acme_challenge_filename = ENV["ACME_CHALLENGE_FILENAME"]
       @acme_challenge_file_content = ENV["ACME_CHALLENGE_FILE_CONTENT"]
+
+      @acme_private_key = ENV["ACME_PRIVATE_KEY"]
+      @acme_key_id = ENV["ACME_KEY_ID"]
     end
 
     def valid?
-      heroku_token && heroku_app && acme_email
+      heroku_token && heroku_app && acme_email && acme_terms_agreed
     end
   end
 end

data/lib/tasks/letsencrypt.rake

@@ -8,24 +8,48 @@ namespace :letsencrypt do
   desc 'Renew your LetsEncrypt certificate'
   task :renew do
     # Check configuration looks OK
-    abort "letsencrypt-rails-heroku is configured incorrectly. Are you missing an environment variable or other configuration? You should have a heroku_token, heroku_app and acme_email configured either via a `Letsencrypt.configure` block in an initializer or as environment variables." unless Letsencrypt.configuration.valid?
+    abort "letsencrypt-rails-heroku is configured incorrectly. Are you missing an environment variable or other configuration? You should have heroku_token, heroku_app, acme_email and acme_terms_agreed configured either via a `Letsencrypt.configure` block in an initializer or as environment variables." unless Letsencrypt.configuration.valid?
 
     # Set up Heroku client
     heroku = PlatformAPI.connect_oauth Letsencrypt.configuration.heroku_token
     heroku_app = Letsencrypt.configuration.heroku_app
 
-    # Create a private key
-    print "Creating account key..."
-    private_key = OpenSSL::PKey::RSA.new(4096)
-    puts "Done!"
+    if Letsencrypt.registered?
+      puts "Using existing registration details"
+      private_key = OpenSSL::PKey::RSA.new(Letsencrypt.configuration.acme_private_key)
+      key_id = Letsencrypt.configuration.acme_key_id
+    else
+      # Create a private key
+      print "Creating account key..."
+      private_key = OpenSSL::PKey::RSA.new(4096)
+      puts "Done!"
 
-    client = Acme::Client.new(private_key: private_key, endpoint: Letsencrypt.configuration.acme_endpoint, connection_options: { request: { open_timeout: 5, timeout: 5 } })
+      client = Acme::Client.new(private_key: private_key,
+                                directory: Letsencrypt.configuration.acme_directory,
+                                connection_options: { 
+                                  request: { 
+                                    open_timeout: 5,
+                                    timeout: 5
+                                  }
+                                })
 
-    print "Registering with LetsEncrypt..."
-    registration = client.register(contact: "mailto:#{Letsencrypt.configuration.acme_email}")
+      print "Registering with LetsEncrypt..."
+      account = client.new_account(contact: "mailto:#{Letsencrypt.configuration.acme_email}",
+                                   terms_of_service_agreed: true)
 
-    registration.agree_terms
-    puts "Done!"
+      key_id = account.kid
+      puts "Done!"
+      print "Saving account details as configuration variables..."
+      heroku.config_var.update(heroku_app,
+                               'ACME_PRIVATE_KEY' => private_key.to_pem,
+                               'ACME_KEY_ID' => account.kid)
+      puts "Done!"
+    end
+
+    # Make a new Acme::Client with whichever private_key & key_id we ended up with.
+    client = Acme::Client.new(private_key: private_key,
+                              directory: Letsencrypt.configuration.acme_directory,
+                              kid: key_id)
 
     domains = []
     if Letsencrypt.configuration.acme_domain
@@ -36,11 +60,14 @@ namespace :letsencrypt do
       puts "Using #{domains.length} configured Heroku domain(s) for this app..."
     end
 
-    domains.each do |domain|
-      puts "Performing verification for #{domain}:"
+    order = client.new_order(identifiers: domains)
 
-      authorization = client.authorize(domain: domain)
-      challenge = authorization.http01
+    order.authorizations.each do |authorization|
+      puts "Performing verification for #{authorization.domain}:"
+
+      challenge = authorization.http
+      
+      raise Letsencrypt::Error::NoHTTPChallengeError, "No HTTP challenge was given by Let's Encrypt for #{authorization.domain}, and letsencrypt-rails-heroku does not currently support other challenge types." unless challenge
 
       print "Setting config vars on Heroku..."
       heroku.config_var.update(heroku_app, {
@@ -62,7 +89,7 @@ namespace :letsencrypt do
 
       begin
         open("http://#{hostname}/#{challenge.filename}").read
-      rescue OpenURI::HTTPError, RuntimeError => e
+      rescue OpenSSL::SSL::SSLError, OpenURI::HTTPError, RuntimeError => e
         raise e if e.is_a?(RuntimeError) && !e.message.include?("redirection forbidden")
         if Time.now - start_time <= 60
           puts "Error fetching challenge, retrying... #{e.message}"
@@ -78,24 +105,23 @@ namespace :letsencrypt do
 
       print "Giving LetsEncrypt some time to verify..."
       # Once you are ready to serve the confirmation request you can proceed.
-      challenge.request_verification # => true
-      challenge.verify_status # => 'pending'
+      challenge.request_validation
 
       start_time = Time.now
-
-      while challenge.verify_status == 'pending'
+      while challenge.status == 'pending'
         if Time.now - start_time >= 30
           failure_message = "Failed - timed out waiting for challenge verification."
           raise Letsencrypt::Error::VerificationTimeoutError, failure_message
         end
-        sleep(3)
+        sleep(2)
+        challenge.reload
       end
 
       puts "Done!"
 
-      unless challenge.verify_status == 'valid'
+      unless challenge.status == 'valid'
         puts "Problem verifying challenge."
-        failure_message = "Status: #{challenge.verify_status}, Error: #{challenge.error}"
+        failure_message = "Status: #{challenge.status}, Error: #{challenge.error}"
         raise Letsencrypt::Error::VerificationError, failure_message
       end
 
@@ -110,10 +136,33 @@ namespace :letsencrypt do
     })
 
     # Create CSR
-    csr = Acme::Client::CertificateRequest.new(names: domains)
+    csr_private_key = OpenSSL::PKey::RSA.new 4096
+    csr = Acme::Client::CertificateRequest.new(names: domains,
+                                               private_key: csr_private_key)
 
+    print "Asking LetsEncrypt to finalize our certificate order..."
     # Get certificate
-    certificate = client.new_certificate(csr) # => #<Acme::Client::Certificate ....>
+    order.finalize(csr: csr)
+
+    # Wait for order to process
+    start_time = Time.now
+    while order.status == 'processing'
+      if Time.now - start_time >= 30
+        failure_message = "Failed - timed out waiting for order finalization"
+        raise Letsencrypt::Error::FinalizationTimeoutError, failure_message
+      end
+      sleep(2)
+      order.reload
+    end
+
+    puts "Done!"
+
+    unless order.status == 'valid'
+      failure_message = "Problem finalizing order - status: #{order.status}"
+      raise Letsencrypt::Error::FinalizationError, failure_message
+    end
+
+    certificate = order.certificate # => PEM-formatted certificate
 
     # Send certificates to Heroku via API
 
@@ -124,28 +173,34 @@ namespace :letsencrypt do
                  heroku.ssl_endpoint
                end
 
-    # First check for existing certificates:
-    certificates = endpoint.list(heroku_app)
+    certificate_info = {
+      certificate_chain: certificate,
+      private_key: csr_private_key.to_pem
+    }
+
+    # Fetch existing certificate from Heroku (if any). We just use the first
+    # one; if someone has more than one, they're probably not actually using
+    # this gem. Could also be an error?
+    existing_certificate = endpoint.list(heroku_app)[0]
 
     begin
-      if certificates.any?
-        print "Updating existing certificate #{certificates[0]['name']}..."
-        endpoint.update(heroku_app, certificates[0]['name'], {
-          certificate_chain: certificate.fullchain_to_pem,
-          private_key: certificate.request.private_key.to_pem
-        })
+      if existing_certificate
+        print "Updating existing certificate #{existing_certificate['name']}..."
+        endpoint.update(heroku_app, existing_certificate['name'], certificate_info)
         puts "Done!"
       else
         print "Adding new certificate..."
-        endpoint.create(heroku_app, {
-          certificate_chain: certificate.fullchain_to_pem,
-          private_key: certificate.request.private_key.to_pem
-        })
+        endpoint.create(heroku_app, certificate_info)
         puts "Done!"
       end
     rescue Excon::Error::UnprocessableEntity => e
       warn "Error adding certificate to Heroku. Response from Heroku’s API follows:"
       raise Letsencrypt::Error::HerokuCertificateError, e.response.body
+    rescue Excon::Error::Forbidden => e
+      warn "Error adding certificate to Heroku, expected an OK response status, got a '403 Forbidden'. Response follows:"
+      puts e.response.body
+      # Re-raise for now.
+      raise e
     end
 
   end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: letsencrypt-rails-heroku
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.3
 platform: ruby
 authors:
 - Pixie Labs
 - David Somers
 - Abigail McPhillips
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-03 00:00:00.000000000 Z
+date: 2020-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -18,28 +18,34 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: platform-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
@@ -116,6 +122,7 @@ email: team@pixielabs.io
 executables: []
 extensions: []
 extra_rdoc_files:
+- CHANGELOG.md
 - LICENSE.txt
 - README.md
 files:
@@ -138,7 +145,7 @@ homepage: https://github.com/pixielabs/letsencrypt-rails-heroku
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -153,9 +160,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.0.6
+signing_key:
 specification_version: 4
 summary: Automatic LetsEncrypt certificates in your Rails app on Heroku
 test_files: []