-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement the "dns-account-01" Challenge in Pebble #425
Comments
I found that it's nontrival for pebble to do this: because accountURL needed to calculate this is dependent to domain of ACME uses, which pebble doesn't configed and not known. and just listen on everything: |
In addition to the ongoing work from @orangepizza, I have prepared two changes to support Pebble integration tests using
In conjunction with my proposed change to #430 (see #430 (comment)), the preceding changes to Example run: REQUESTS_CA_BUNDLE=pebble/test/certs/pebble.minica.pem \
python3 -c 'import pebble.test.chisel2; pebble.test.chisel2.auth_and_issue(["foo.com"],"dns-account-01")'
…
DEBUG:urllib3.connectionpool:https://localhost:14000 "POST /authZ/AFDXL5tMBBi6GTDqetoTuPArYOTXi7_GGL0CQWCh6Qs HTTP/1.1" 200 440
DEBUG:acme.client:Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Content-Type: application/json; charset=utf-8
Link: <https://localhost:14000/dir>;rel="index"
Replay-Nonce: BAMHTKcD2aNAyopsB-9zZg
Date: Tue, 06 Feb 2024 00:29:17 GMT
Content-Length: 440
{
"status": "valid",
"identifier": {
"type": "dns",
"value": "foo.com"
},
"challenges": [
{
"type": "dns-account-01",
"url": "https://localhost:14000/chalZ/lV0CIU0zxaGkt5Ib7og8d1vkQo1A2EHzMREKbgdsZOI",
"token": "01Wsj3RQfOinMJ7-lbKRBeElrLBI8OaUv99Jioem0_w",
"status": "valid",
"validated": "2024-02-06T00:29:14Z"
}
],
"expires": "2024-02-06T01:29:17Z"
}
… …
pebble-challtestsrv - 2024/02/05 19:29:14 Added DNS-01 TXT challenge for Host "_f75qxvkvtswybx6u._acme-challenge.foo.com." - Value "jjxuv--W5N1o1TujkI12Db6jakJfAXLFfDEpjsEYVGA"
pebble-challtestsrv - 2024/02/05 19:29:18 Removed DNS-01 TXT challenge for Host "_f75qxvkvtswybx6u._acme-challenge.foo.com." |
I thought that suggestion was shot down be LE employee: https://github.com/aarongable
|
Added a comment at aaomidi/draft-ietf-acme-scoped-dns-challenges#13 (comment) |
The After that is approved and merged the |
Hi all, we're getting close to publishing a new draft. Here is a preview: https://aaomidi.github.io/draft-ietf-acme-scoped-dns-challenges/ Sorry for adding a ton of changes here, but ultimately we felt like we need to incorporate the teachings in https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ I believe certbot/certbot#9887 might need to be updated to follow up with this new draft as well. |
Because subdomain auth is not yet implemented in Boulder (per letsencrypt/boulder#7050), this implementation would be:
for SCOPE in
NOT SCOPE in
|
I have a fork of https://github.com/eggsampler/acme with https://github.com/sheurich/eggsampler-acme/tree/add-dns-account-01 The validation label computation is: acctHash := sha256.Sum256([]byte(acct.URL))
acctLabel := strings.ToLower(base32.StdEncoding.EncodeToString(acctHash[0:10]))
scope := "host"
if auth.Wildcard {
scope = "wildcard"
}
host := "_" + acctLabel + "._acme-" + scope + "-challenge." + auth.Identifier.Value + "." |
…es (#435) This change implements the `dns-account-01` ACME challenge as specified in [draft-ietf-acme-scoped-dns-challenges](https://datatracker.ietf.org/doc/draft-ietf-acme-scoped-dns-challenges/). The relevant [validation label computation](https://github.com/aaomidi/draft-ietf-acme-scoped-dns-challenges/blob/0058e0800056698fb37f3b2cb31a727c826675fb/draft-ietf-acme-scoped-dns-challenges.mkd#dns-account-01-challenge) is: ```plain "_" || base32(SHA-256(<ACCOUNT_RESOURCE_URL>)[0:10]) || "._acme-" || <SCOPE> || "-challenge" ``` where SCOPE is one of { `host`, `wildcard` }. A SCOPE of { `domain` } is unimplemented. This implementation is interoperable with the https://github.com/eggsampler/acme changes in eggsampler/acme#21 and passes the `TestWildcardDNSAccount` test. Solves #425.
Solved by #435 |
Objective
Implement the "dns-account-01" challenge in Pebble, setting the groundwork for subsequent Boulder alignment (referencing boulder#7240).
Rationale
Establishing this feature in Pebble first is crucial for a consistent and forward-compatible testing framework.
The text was updated successfully, but these errors were encountered: