Ludovic Fernandez
a2543a2fde
Don't trust identifiers order. ( #589 )
...
ACME draft Section 7.4 "Applying for Certificate Issuance"
https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
says:
Clients SHOULD NOT make any assumptions about the sort order of
"identifiers" or "authorizations" elements in the returned order
object.
2018-07-01 01:06:46 +02:00
Wyatt Johnson
d457f70ae0
TLS-ALPN-01 Challenge ( #572 )
...
* feat: implemented TLS-ALPN-01 challenge
2018-06-14 01:20:56 +02:00
Ludovic Fernandez
e7fd871a9c
ACME V2 support ( #555 )
2018-05-30 19:53:04 +02:00
xenolf
cbd5d04c89
Fix OCSP must staple.
...
Fixes #327
2016-12-06 08:41:28 +01:00
xenolf
72914df00f
Add OCSP must staple support
...
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!
Fixes #270
2016-10-27 11:22:10 +02:00
xenolf
e2f341198f
Remove unneeded re-checking of OCSP responses. The stdlib has us covered already.
...
Fixes #247
2016-07-21 03:32:56 +02:00
Chris Marchesi
575370e196
cert: Extend acme.CertificateResource, support CSRs on renew
...
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.
Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
2016-06-14 21:15:25 -07:00
xenolf
fcd05ae397
Merge pull request #130 from xenolf/add-ecc-support
...
Add EC support
2016-02-27 03:38:12 +01:00
xenolf
da7dd0f7b8
Remove no longer needed crypto function. ACME spec no longer requires this.
2016-02-21 04:31:02 +01:00
xenolf
a61e41c90e
Fix typo in the constant for the P384 curve.
2016-02-21 04:18:45 +01:00
xenolf
0e26bb45ca
Add support for EC certificates / account keys
2016-02-21 04:18:45 +01:00
Matthew Holt
971541dc0a
Use http client with timeout of 10s
...
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.
Fix vet errors and lint warnings
Add vet to CI check
Only get issuer certificate if it would be used
No need to make a GET request if the OCSP server is not specified in leaf certificate
Fix CI tests
Make tests verbose
2016-02-14 14:33:54 -07:00
Chris Moos
7bdc9e26f7
GetOCSPCert should fail if there are no OCSP servers in the cert.
2016-02-06 23:19:32 -07:00
Matthew Holt
19ea2cbf75
Fix PEM decoding if file ends with multiple newlines
...
This method more closely reflects how crypto/tls does it here: https://golang.org/src/crypto/tls/tls.go?s=5139:5210#L174
2016-01-11 10:02:28 -07:00
xenolf
db1a519684
Add the ability to reuse a private key
2016-01-08 10:14:41 +01:00
xenolf
1193ae895a
Merge pull request #66 from xenolf/user-agent-string
...
Implement custom User-Agent string
2016-01-07 04:51:31 +01:00
Matthew Holt
0786c993c9
Return full, parsed ocsp response instead of just the status
2015-12-31 16:07:18 -07:00
Matthew Holt
89908f39e9
Implement custom User-Agent string
...
Also a couple miscellaneous vet fixes
2015-12-30 15:01:21 -07:00
Mustafa Altun
f3df6b81b2
Fix gofmt errors
2015-12-24 10:57:09 +02:00
xenolf
7789bd2ffc
Limit OCSP answers to 1MB.
...
fixes #56
2015-12-18 22:33:30 +01:00
xenolf
7662cbcec5
Merge pull request #30 from xenolf/add-san-cert
...
Add SAN certificates - fix #20
2015-11-18 22:07:54 +01:00
xenolf
17576f0626
Update README & Extract KeyAuthorizations from HTTP-01
2015-11-16 23:57:04 +01:00
xenolf
27a8cff3c6
Initial support for SAN certificates
2015-11-11 01:01:15 +01:00
Matthew Holt
2c24056374
Close leaky file descriptors
2015-10-30 15:38:59 -06:00
Matthew Holt
f146acc019
fix panic for situation common with self-signed certs
2015-10-28 21:36:02 -06:00
xenolf
94aeac7b5f
Add the OCSP status code to GetOCSPForCert
2015-10-27 23:55:50 +01:00
xenolf
65b62b5670
Make ocsp validate the signature of a response.
...
OCSP signatures should get validated if no issuer certificate is returned from
the OCSP responder.
2015-10-27 22:31:56 +01:00
xenolf
2afea79309
Fix cert bundle order
2015-10-24 04:31:12 +02:00
xenolf
51a95ee548
Add initial support for certificate bundling
2015-10-24 03:55:18 +02:00
xenolf
d6f4e42b13
Add support for getting OCSP responses for OCSPStapling
2015-10-24 03:46:00 +02:00
xenolf
4d99c9e543
Support for RecoveryKey (not enabled). But not supported server side...
2015-10-23 16:24:02 +02:00
xenolf
dc4125d3cf
Change GetCertExpiration to accept PEM encoded certs.
2015-10-19 00:36:25 +02:00
Matt Holt
5d31b0a04c
Fix panic
2015-10-17 20:58:14 -06:00
xenolf
7f6f790253
Wrap []byte for DER certificates in its own type.
2015-10-18 03:29:26 +02:00
xenolf
dcdcde03aa
Certificates are PEM encoded by default now
2015-10-18 03:10:46 +02:00
xenolf
835927f5d5
Clean-up ugly zero time check
2015-10-18 00:25:46 +02:00
xenolf
3ef08f7413
Add a comment to GetCertExpiration
2015-10-17 22:27:04 +02:00
xenolf
34910bd541
Add a function to check cert expiration dates.
2015-10-16 21:05:16 +02:00
xenolf
b04e5a4aac
add crypto.go
2015-06-13 03:57:05 +02:00