Commit graph

39 commits

Author SHA1 Message Date
Ludovic Fernandez
a2543a2fde
Don't trust identifiers order. (#589)
ACME draft Section 7.4 "Applying for Certificate Issuance"
https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
says:
	Clients SHOULD NOT make any assumptions about the sort order of
	"identifiers" or "authorizations" elements in the returned order
	object.
2018-07-01 01:06:46 +02:00
Wyatt Johnson
d457f70ae0 TLS-ALPN-01 Challenge (#572)
* feat: implemented TLS-ALPN-01 challenge
2018-06-14 01:20:56 +02:00
Ludovic Fernandez
e7fd871a9c
ACME V2 support (#555) 2018-05-30 19:53:04 +02:00
xenolf
cbd5d04c89 Fix OCSP must staple.
Fixes #327
2016-12-06 08:41:28 +01:00
xenolf
72914df00f Add OCSP must staple support
Introduces a new command line switch `--must-staple` to `run` and `renew`.
Using this switch will add the must staple TLS extension to the CSR generated by lego and thus also to the generated certificate.
This does not work with user specified CSRs!

Fixes #270
2016-10-27 11:22:10 +02:00
xenolf
e2f341198f Remove unneeded re-checking of OCSP responses. The stdlib has us covered already.
Fixes #247
2016-07-21 03:32:56 +02:00
Chris Marchesi
575370e196 cert: Extend acme.CertificateResource, support CSRs on renew
client.RenewCertificate now supports CSRs, and in fact prefers them,
when renewing certificates. In other words, if the certificate was
created via a CSR then using that will be attempted before re-generating
off a new private key.

Also adjusted the API of ObtainCertificateForCSR to be a little
more in line with the original ObtainCertificate function.
2016-06-14 21:15:25 -07:00
xenolf
fcd05ae397 Merge pull request #130 from xenolf/add-ecc-support
Add EC support
2016-02-27 03:38:12 +01:00
xenolf
da7dd0f7b8 Remove no longer needed crypto function. ACME spec no longer requires this. 2016-02-21 04:31:02 +01:00
xenolf
a61e41c90e Fix typo in the constant for the P384 curve. 2016-02-21 04:18:45 +01:00
xenolf
0e26bb45ca Add support for EC certificates / account keys 2016-02-21 04:18:45 +01:00
Matthew Holt
971541dc0a Use http client with timeout of 10s
This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning.

Fix vet errors and lint warnings

Add vet to CI check

Only get issuer certificate if it would be used

No need to make a GET request if the OCSP server is not specified in leaf certificate

Fix CI tests

Make tests verbose
2016-02-14 14:33:54 -07:00
Chris Moos
7bdc9e26f7 GetOCSPCert should fail if there are no OCSP servers in the cert. 2016-02-06 23:19:32 -07:00
Matthew Holt
19ea2cbf75 Fix PEM decoding if file ends with multiple newlines
This method more closely reflects how crypto/tls does it here: https://golang.org/src/crypto/tls/tls.go?s=5139:5210#L174
2016-01-11 10:02:28 -07:00
xenolf
db1a519684 Add the ability to reuse a private key 2016-01-08 10:14:41 +01:00
xenolf
1193ae895a Merge pull request #66 from xenolf/user-agent-string
Implement custom User-Agent string
2016-01-07 04:51:31 +01:00
Matthew Holt
0786c993c9 Return full, parsed ocsp response instead of just the status 2015-12-31 16:07:18 -07:00
Matthew Holt
89908f39e9 Implement custom User-Agent string
Also a couple miscellaneous vet fixes
2015-12-30 15:01:21 -07:00
Mustafa Altun
f3df6b81b2 Fix gofmt errors 2015-12-24 10:57:09 +02:00
xenolf
7789bd2ffc Limit OCSP answers to 1MB.
fixes #56
2015-12-18 22:33:30 +01:00
xenolf
7662cbcec5 Merge pull request #30 from xenolf/add-san-cert
Add SAN certificates - fix #20
2015-11-18 22:07:54 +01:00
xenolf
17576f0626 Update README & Extract KeyAuthorizations from HTTP-01 2015-11-16 23:57:04 +01:00
xenolf
27a8cff3c6 Initial support for SAN certificates 2015-11-11 01:01:15 +01:00
Matthew Holt
2c24056374 Close leaky file descriptors 2015-10-30 15:38:59 -06:00
Matthew Holt
f146acc019 fix panic for situation common with self-signed certs 2015-10-28 21:36:02 -06:00
xenolf
94aeac7b5f Add the OCSP status code to GetOCSPForCert 2015-10-27 23:55:50 +01:00
xenolf
65b62b5670 Make ocsp validate the signature of a response.
OCSP signatures should get validated if no issuer certificate is returned from
the OCSP responder.
2015-10-27 22:31:56 +01:00
xenolf
2afea79309 Fix cert bundle order 2015-10-24 04:31:12 +02:00
xenolf
51a95ee548 Add initial support for certificate bundling 2015-10-24 03:55:18 +02:00
xenolf
d6f4e42b13 Add support for getting OCSP responses for OCSPStapling 2015-10-24 03:46:00 +02:00
xenolf
4d99c9e543 Support for RecoveryKey (not enabled). But not supported server side... 2015-10-23 16:24:02 +02:00
xenolf
dc4125d3cf Change GetCertExpiration to accept PEM encoded certs. 2015-10-19 00:36:25 +02:00
Matt Holt
5d31b0a04c Fix panic 2015-10-17 20:58:14 -06:00
xenolf
7f6f790253 Wrap []byte for DER certificates in its own type. 2015-10-18 03:29:26 +02:00
xenolf
dcdcde03aa Certificates are PEM encoded by default now 2015-10-18 03:10:46 +02:00
xenolf
835927f5d5 Clean-up ugly zero time check 2015-10-18 00:25:46 +02:00
xenolf
3ef08f7413 Add a comment to GetCertExpiration 2015-10-17 22:27:04 +02:00
xenolf
34910bd541 Add a function to check cert expiration dates. 2015-10-16 21:05:16 +02:00
xenolf
b04e5a4aac add crypto.go 2015-06-13 03:57:05 +02:00