Commit graph

91 commits

Author SHA1 Message Date
Mariano Cano
c8d225a763 Use x509util from go.step.sm/crypto/x509util 2020-08-05 16:02:46 -07:00
Mariano Cano
f1773489fc Fix comment. 2020-07-31 10:45:59 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
0c8376a7f6 Fix existing unit tests. 2020-07-21 14:21:54 -07:00
Mariano Cano
a7fe0104c4 Remove ACME restrictions and add proper template support. 2020-07-21 14:18:06 -07:00
max furman
d25e7f64c2 wip 2020-06-24 09:58:40 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
max furman
41a1a053d8 Always convert empty list to nil when saving orderIDs index. 2020-06-01 18:04:51 -07:00
max furman
704a510a2a Remove non-pending orders from the acme_orders_by_account index ...
- Each acme account has an index in this table. Before this change, the
index would grow unchecked as orders accumulate. This change removes
orders that have moved out of the 'PENDING' state.
2020-06-01 12:56:50 -07:00
David Cowden
a26b5f322d acme/api: Brush up documentation on key-change
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
2020-05-28 11:22:37 -07:00
David Cowden
b26e6e42b3 acme: Return 501 for the key-change route
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.

The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.

Fixes: https://github.com/smallstep/certificates/issues/209
2020-05-26 01:47:08 -07:00
max furman
6e69f99310 Always set nbf and naf for new ACME orders ...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Max
ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
[Feature] Force CommonName for certificates from ACME provisioner
2020-05-18 14:40:01 -07:00
Oleksandr Kovalchuk
893a53793a
Modify existing tests to accept forceCNOption modifier
Modify existing tests to pass with changes introduced in commit
322200b7db. This is safe to do as
tests assert exact length of modifiers, which has changed.
2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.

Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
max furman
e1409349f3 Allow relative URL for all links in ACME api ...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk
0218018cee
Generate Subject if forceCN and Subject is empty
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.

N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.

Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00
Clive Jevons
639993bd09 Read host and protocol information from request for links
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
2020-05-12 16:58:12 -07:00
max furman
4cb777bdc1 ACME accountUpdate ignore fields not recognized by the server. 2020-05-08 11:52:30 -07:00
Ivan Bertona
cb46a8b741 Small test fixes. 2020-02-11 09:57:28 -05:00
Ivan Bertona
10bc548c6e Remove leftover file. 2020-02-10 14:58:16 -05:00
Ivan Bertona
200cfd2433 Add test for missing TLS certificates in response. 2020-02-10 14:50:13 -05:00
Ivan Bertona
157686e338 Tiny finishes. 2020-02-07 19:57:29 -05:00
Ivan Bertona
6843408d42 Reject obsolete id-pe-acmeIdentifier. 2020-02-07 19:26:18 -05:00
Ivan Bertona
6b5a2b17b5 Add challenge unmarshal test cases. 2020-02-07 15:25:27 -05:00
Ivan Bertona
b8208ec401 Add test case for failed came-tls/1 protocol negotiation. 2020-02-07 15:14:08 -05:00
Ivan Bertona
4b473732d9 Add support for TLS-ALPN-01 challenge. 2020-02-07 14:37:13 -05:00
max furman
c255274572 Should be returning status code 400 for ACME Account Not Found.
Issue #173
2020-02-01 17:35:41 -08:00
Mariano Cano
0a890a5c16 Add the commonName as a DNSName to match RFC.
Normalize names and remove the use of reflection.
2020-01-28 15:34:01 -08:00
max furman
432ed0090f Use _'s in table names. 2020-01-28 13:29:40 -08:00
max furman
967e86a48b Simplify trimming *. prefix of domain in acme dns validation. 2019-12-20 13:32:44 -08:00
Oleksandr Kovalchuk
ec8ff0bced
Add testcase which ensures we pass correct domain to lookupTxt
Make sure we do not pass domains with asterisk (wildcard) in the middle,
like _acme-challenge.*.example.com to lookupTxt function, but preprocess
domain and remove leading wildcard so we lookup for
_acme-challenge.example.com.
2019-12-20 22:54:41 +02:00
Oleksandr Kovalchuk
46832bb9b3
Remove superflurous Printf statement
The statement was used for debug purposes and should not be included in
the final build
2019-12-20 22:22:12 +02:00
Oleksandr Kovalchuk
a995cca418
Perform domain normalization for wildcard domains
Perform domain normalization for wildcard domains, so we do query
TXT records for _acme-challenge.example.domain instead of
_acme-challenge.*.example.domain when performing DNS-01 challenge. In
this way the behavior is consistent with letsencrypt and records queried
are in sync with the ones that are shown in certbot manual mode.
2019-12-20 19:17:53 +02:00
Max
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
Change api of functions Authority.Sign, Authority.Renew
2019-10-18 14:00:18 -07:00
max furman
d368791606 Add x5c provisioner capabilities 2019-10-14 14:51:37 -07:00
max furman
7aec7c2612 Create ACME database tables when initializing ACME autority. 2019-10-14 14:51:03 -07:00
Jozef Kralik
bc6074f596 Change api of functions Authority.Sign, Authority.Renew
Returns certificate chain instead of 2 members.

Implements #126
2019-10-09 22:23:00 +02:00
max furman
e92dfb2516 Fix authz shadow declarations 2019-09-30 11:49:15 -07:00
max furman
fe7973c060 wip 2019-09-19 13:17:45 -07:00
max furman
e3826dd1c3 Add ACME CA capabilities 2019-09-13 15:48:33 -07:00