acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.38k stars 4.97k forks source link

Add support for pre-authorizations #4797

Open vanbroup opened 1 year ago

vanbroup commented 1 year ago

Please add support for pre-authorizations as defined in section 7.4.1 of RFC8555:

Some servers may also wish to enable clients to obtain authorization for an identifier proactively, outside of the context of a specific issuance. For example, a client hosting virtual servers for a collection of names might wish to obtain authorization before any virtual servers are created and only create a certificate when a virtual server starts up.

Support for pre-authorizations can help the ecosystem to move to shorter domain validation re-use periods, for example by supporting organizations in keeping their domain/IP address authorizations up to date, even if these eventually do not use ACME to request or provision their certificates.

Another advantage could be that the authorization and issuance process could be separated, ensuring that DNS credentials do not have to be exposed on a server that is accessible from the internet.

While the new-authz call is implemented in __get_domain_new_authz(), it's not exposed to the CLI. https://github.com/acmesh-official/acme.sh/blob/b8447fcab83bc6a8964e6a3a0d89ff519be6df92/acme.sh#L3946-L3982

github-actions[bot] commented 1 year ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.