mirror of
https://github.com/certbot/certbot.git
synced 2026-02-03 20:40:36 -05:00
fde359f4da
it looks like https://github.com/certbot/certbot/pull/10098 introduced a couple bugs into this file: 1. [RSAPrivateKeys](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) don't have a `public_bytes` method 2. `cryptography.x509` wasn't imported and [load_pem_x509_certificate](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.load_pem_x509_certificate) takes bytes, not a string i think avoiding this is unfortunately difficult as this file has no tests, but it was useful for me just now when testing https://github.com/certbot/certbot/pull/10283 so i wanted to fix it up i also changed the script to initially create the account without an email address as the fake@example.com email causes registration with LE's staging server to fail early in execution with the changes in this PR changes, if you: 1. change the value of [DOMAIN](0075104805/acme/examples/http01_example.py (L57)) to a domain pointing at your machine 2. as root, activate your certbot dev environment, and run `python acme/examples/http01_example.py ` it will fail late in the script with: ``` Traceback (most recent call last): File "/home/brad/certbot/acme/examples/http01_example.py", line 237, in <module> example_http() ~~~~~~~~~~~~^^ File "/home/brad/certbot/acme/examples/http01_example.py", line 223, in example_http regr = client_acme.update_registration( regr.update( ...<3 lines>... ) ) File "/home/brad/certbot/acme/src/acme/client.py", line 101, in update_registration updated_regr = self._send_recv_regr(regr, body=body) File "/home/brad/certbot/acme/src/acme/client.py", line 373, in _send_recv_regr response = self._post(regr.uri, body) File "/home/brad/certbot/acme/src/acme/client.py", line 392, in _post return self.net.post(*args, **kwargs) ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/home/brad/certbot/acme/src/acme/client.py", line 766, in post return self._post_once(*args, **kwargs) ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/home/brad/certbot/acme/src/acme/client.py", line 781, in _post_once response = self._check_response(response, content_type=content_type) File "/home/brad/certbot/acme/src/acme/client.py", line 630, in _check_response raise messages.Error.from_json(jobj) acme.messages.Error: urn:ietf:params:acme:error:invalidContact :: The provided contact URI was invalid :: Unable to update account :: invalid contact: contact email has forbidden domain "example.org" ``` if you also change [this email variable](0075104805/acme/examples/http01_example.py (L223)) to a valid email address, the script will run successfully
237 lines
7 KiB
Python
237 lines
7 KiB
Python
"""Example ACME-V2 API for HTTP-01 challenge.
|
|
|
|
Brief:
|
|
|
|
This a complete usage example of the python-acme API.
|
|
|
|
Limitations of this example:
|
|
- Works for only one Domain name
|
|
- Performs only HTTP-01 challenge
|
|
- Uses ACME-v2
|
|
|
|
Workflow:
|
|
(Account creation)
|
|
- Create account key
|
|
- Register account and accept TOS
|
|
(Certificate actions)
|
|
- Select HTTP-01 within offered challenges by the CA server
|
|
- Set up http challenge resource
|
|
- Set up standalone web server
|
|
- Create domain private key and CSR
|
|
- Issue certificate
|
|
- Renew certificate
|
|
- Revoke certificate
|
|
(Account update actions)
|
|
- Change contact information
|
|
- Deactivate Account
|
|
"""
|
|
from contextlib import contextmanager
|
|
|
|
from cryptography import x509
|
|
from cryptography.hazmat.backends import default_backend
|
|
from cryptography.hazmat.primitives import serialization
|
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
|
import josepy as jose
|
|
|
|
from acme import challenges
|
|
from acme import client
|
|
from acme import crypto_util
|
|
from acme import errors
|
|
from acme import messages
|
|
from acme import standalone
|
|
|
|
# Constants:
|
|
|
|
# This is the staging point for ACME-V2 within Let's Encrypt.
|
|
DIRECTORY_URL = 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
|
|
|
USER_AGENT = 'python-acme-example'
|
|
|
|
# Account key size
|
|
ACC_KEY_BITS = 2048
|
|
|
|
# Certificate private key size
|
|
CERT_PKEY_BITS = 2048
|
|
|
|
# Domain name for the certificate.
|
|
DOMAIN = 'client.example.com'
|
|
|
|
# If you are running Boulder locally, it is possible to configure any port
|
|
# number to execute the challenge, but real CA servers will always use port
|
|
# 80, as described in the ACME specification.
|
|
PORT = 80
|
|
|
|
|
|
# Useful methods and classes:
|
|
|
|
|
|
def new_csr_comp(domain_name, pkey_pem=None):
|
|
"""Create certificate signing request."""
|
|
if pkey_pem is None:
|
|
# Create private key.
|
|
pkey = rsa.generate_private_key(public_exponent=65537, key_size=CERT_PKEY_BITS)
|
|
pkey_pem = pkey.private_bytes(encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption())
|
|
|
|
csr_pem = crypto_util.make_csr(pkey_pem, [domain_name])
|
|
return pkey_pem, csr_pem
|
|
|
|
|
|
def select_http01_chall(orderr):
|
|
"""Extract authorization resource from within order resource."""
|
|
# Authorization Resource: authz.
|
|
# This object holds the offered challenges by the server and their status.
|
|
authz_list = orderr.authorizations
|
|
|
|
for authz in authz_list:
|
|
# Choosing challenge.
|
|
# authz.body.challenges is a set of ChallengeBody objects.
|
|
for i in authz.body.challenges:
|
|
# Find the supported challenge.
|
|
if isinstance(i.chall, challenges.HTTP01):
|
|
return i
|
|
|
|
raise Exception('HTTP-01 challenge was not offered by the CA server.')
|
|
|
|
|
|
@contextmanager
|
|
def challenge_server(http_01_resources):
|
|
"""Manage standalone server set up and shutdown."""
|
|
|
|
# Setting up a fake server that binds at PORT and any address.
|
|
address = ('', PORT)
|
|
try:
|
|
servers = standalone.HTTP01DualNetworkedServers(address,
|
|
http_01_resources)
|
|
# Start client standalone web server.
|
|
servers.serve_forever()
|
|
yield servers
|
|
finally:
|
|
# Shutdown client web server and unbind from PORT
|
|
servers.shutdown_and_server_close()
|
|
|
|
|
|
def perform_http01(client_acme, challb, orderr):
|
|
"""Set up standalone webserver and perform HTTP-01 challenge."""
|
|
|
|
response, validation = challb.response_and_validation(client_acme.net.key)
|
|
|
|
resource = standalone.HTTP01RequestHandler.HTTP01Resource(
|
|
chall=challb.chall, response=response, validation=validation)
|
|
|
|
with challenge_server({resource}):
|
|
# Let the CA server know that we are ready for the challenge.
|
|
client_acme.answer_challenge(challb, response)
|
|
|
|
# Wait for challenge status and then issue a certificate.
|
|
# It is possible to set a deadline time.
|
|
finalized_orderr = client_acme.poll_and_finalize(orderr)
|
|
|
|
return finalized_orderr.fullchain_pem
|
|
|
|
|
|
# Main examples:
|
|
|
|
|
|
def example_http():
|
|
"""This example executes the whole process of fulfilling a HTTP-01
|
|
challenge for one specific domain.
|
|
|
|
The workflow consists of:
|
|
(Account creation)
|
|
- Create account key
|
|
- Register account and accept TOS
|
|
(Certificate actions)
|
|
- Select HTTP-01 within offered challenges by the CA server
|
|
- Set up http challenge resource
|
|
- Set up standalone web server
|
|
- Create domain private key and CSR
|
|
- Issue certificate
|
|
- Renew certificate
|
|
- Revoke certificate
|
|
(Account update actions)
|
|
- Change contact information
|
|
- Deactivate Account
|
|
|
|
"""
|
|
# Create account key
|
|
|
|
acc_key = jose.JWKRSA(
|
|
key=rsa.generate_private_key(public_exponent=65537,
|
|
key_size=ACC_KEY_BITS,
|
|
backend=default_backend()))
|
|
|
|
# Register account and accept TOS
|
|
|
|
net = client.ClientNetwork(acc_key, user_agent=USER_AGENT)
|
|
directory = client.ClientV2.get_directory(DIRECTORY_URL, net)
|
|
client_acme = client.ClientV2(directory, net=net)
|
|
|
|
# Terms of Service URL is in client_acme.directory.meta.terms_of_service
|
|
# Registration Resource: regr
|
|
regr = client_acme.new_account(
|
|
messages.NewRegistration.from_data(terms_of_service_agreed=True))
|
|
|
|
# Create domain private key and CSR
|
|
pkey_pem, csr_pem = new_csr_comp(DOMAIN)
|
|
|
|
# Issue certificate
|
|
|
|
orderr = client_acme.new_order(csr_pem)
|
|
|
|
# Select HTTP-01 within offered challenges by the CA server
|
|
challb = select_http01_chall(orderr)
|
|
|
|
# The certificate is ready to be used in the variable "fullchain_pem".
|
|
fullchain_pem = perform_http01(client_acme, challb, orderr)
|
|
|
|
# Renew certificate
|
|
|
|
_, csr_pem = new_csr_comp(DOMAIN, pkey_pem)
|
|
|
|
orderr = client_acme.new_order(csr_pem)
|
|
|
|
challb = select_http01_chall(orderr)
|
|
|
|
# Performing challenge
|
|
fullchain_pem = perform_http01(client_acme, challb, orderr)
|
|
|
|
# Revoke certificate
|
|
|
|
fullchain_com = x509.load_pem_x509_certificate(fullchain_pem.encode())
|
|
|
|
try:
|
|
client_acme.revoke(fullchain_com, 0) # revocation reason = 0
|
|
except errors.ConflictError:
|
|
# Certificate already revoked.
|
|
pass
|
|
|
|
# Query registration status.
|
|
client_acme.net.account = regr
|
|
try:
|
|
regr = client_acme.query_registration(regr)
|
|
except errors.Error as err:
|
|
if err.typ == messages.ERROR_PREFIX + 'unauthorized':
|
|
# Status is deactivated.
|
|
pass
|
|
raise
|
|
|
|
# Change contact information
|
|
|
|
email = 'newfake@example.com'
|
|
regr = client_acme.update_registration(
|
|
regr.update(
|
|
body=regr.body.update(
|
|
contact=('mailto:' + email,)
|
|
)
|
|
)
|
|
)
|
|
|
|
# Deactivate account/registration
|
|
|
|
regr = client_acme.deactivate_registration(regr)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
example_http()
|