JonahGroendal / acme-easy

An ACME client for the browser that authenticates via DNS-01 challenge and supports LetsEncrypt by default.
https://www.npmjs.com/package/acme-easy
MIT License
2 stars 1 forks source link

Acme Easy to renew certificates #7

Closed bruno-albino closed 3 years ago

bruno-albino commented 3 years ago

Hi !! I am using your library to generate the certificates through DNS challenges. I wonder how can I get/expand your library to renew those certificates as well ?

JonahGroendal commented 3 years ago

Hey Bruno, thanks for using the library!

I think that could be a good idea but one thing to consider is this library currently cannot complete the DNS challenge by itself, it can only communicate with Let's Encrypt (or another cert authority) to request a challenge and then finalize it after the challenge is completed (i.e. after the DNS record is set by you or another program).

To do an auto renew feature we would have to make plugins to communicate with the various DNS hosts via their REST APIs. This isn't too difficult and in fact I already did this for Cloudfare in the test.js file, but it would require a bit of work.

If you have a specific DNS host in mind and are willing to write a plugin for it, feel free to submit a PR. Take a look at how I did it in test.js for reference.

bruno-albino commented 3 years ago

@JonahGroendal thanks for the quick response. I don't want to do auto renew. So how can I comunicate with lets encrypt to renew a specific certificate manually through your library ?

I am assuming that don't need to submit a new challenge every time when the certificate is to be renewed

JonahGroendal commented 3 years ago

@bruno-albino As a part of the ACME protocol, you do need to do the challenge every time you renew a certificate. In fact renewing is the same as issuing a new certificate.

May I ask what application you are using this library for? If you're just hosting a website I would recommend using certbot instead.

bruno-albino commented 3 years ago

I am implementing a application so end users can submit their dns challenge manually and then generate the certificate. Until now, this library worked for me, but now I need to manually renew those certificates (uploaded in Fastly)

bruno-albino commented 3 years ago

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

JonahGroendal commented 3 years ago

Oh very cool! This is the perfect library for that, well, besides for not being able to renew. You could implement an auto renew feature by having the user input an auth token for the domain host they use... This would allow you to renew the certificates for them every month, but it would also allow you to to MITM their website so it wouldn't be the most secure solution for them.

JonahGroendal commented 3 years ago

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

Really? That's very interesting. I thought I read in RFC 8555 that you had to dp the challenge again, my bad. Do you have a link to that info?

JonahGroendal commented 3 years ago

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

Of that's the case I can update the library to support that

bruno-albino commented 3 years ago

bad

Is this one: https://community.letsencrypt.org/t/will-renewal-always-require-new-dns-acme-challenge-txt/102820/5

JonahGroendal commented 3 years ago

Ok so it looks like you can only renew once without having to do the challenge again, and that only gets you an extra 30 days

bruno-albino commented 3 years ago

yep. I did try here with the staging endpoint and worked. The order has the "valid" status in it

JonahGroendal commented 3 years ago

Oh nice, I guess I don't have to change anything then

bruno-albino commented 3 years ago

Nothing at all. Thanks for your time. and great job with this one !!

JonahGroendal commented 3 years ago

My pleasure, glad I could help. And thanks!