Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard and ACME v2 support? #19

Open
jamshid opened this issue Jul 30, 2018 · 6 comments
Open

Wildcard and ACME v2 support? #19

jamshid opened this issue Jul 30, 2018 · 6 comments

Comments

@jamshid
Copy link

jamshid commented Jul 30, 2018

Thanks for this it's been working great for past couple of years but I'm wanting to get a wildcard certificate and letsencrypt FAQ says that requires ACME v2 api. This tool uses v1 api.

Are there plans to upgrade this tool to v2 or should I switch to https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ ?
@rmbolger
Copy link

rmbolger commented Jul 30, 2018
edited
Loading

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

@mdeneen
Copy link

mdeneen commented Jan 17, 2020

There is a timeline now. :-)

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

@zenny
Copy link

zenny commented Aug 20, 2020
edited
Loading

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

@janeczku With LE policy not to let ACME-v01 for the new authorizations, it would be nice if this plugin gets updated to accommodate ACME-v02 as ACME-01 gets deprecated in November 2020.

Cheers, and stay safe,

@mdeneen
Copy link

mdeneen commented Aug 22, 2020

Zenny,

It looks like HAProxy has integrated their own ACME v2 support: https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/

-M

@jamshid
Copy link
Author

jamshid commented May 25, 2021

Hmm that blog article was deleted, here is a snapshot:
https://web.archive.org/web/20180623203616/https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/
It seems to reference this github project but that plugin might not be working with latest letsencrypt (haproxytech/haproxy-lua-acme#5) ? I guess ACME v2 really was a draft and it went through late changes.
https://github.com/haproxytech/haproxy-lua-acme

@ryansch
Copy link

ryansch commented May 26, 2021

I'm using acme-http01-webroot.lua with certbot. The http-01 challenge is still supported in ACME v2 so I would assume this project would continue working.

Did I miss something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jamshid @ryansch @mdeneen @zenny @rmbolger