ACME v2 Support

[lbelkind]

In January 2018 Lets Encrypt will launch a new ACME v2 Endpoint that will allow wildcard certificates. Any plans to implement this?

[rudiedirkx]

Awesome work everyone! Feels goood to use Dehydrated for reals. All worked perfectly!

[jangrewe]

@lukas2511 I hope it's appropriate if i hihack this issue, as i think this is the same, or at least a similar issue. I've updated dehydrated, changed my domains.txt to:

betadiff.com *.betadiff.com

and now i'm only getting this error:

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"5QqvUbs0BLtz5h9wpypVtmwtiHvzlXJlSN9T10bSDR4\" found at _acme-challenge.betadiff.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/kXZvhKmuF6G5VTLcj3JYed6Qe-P_tDrUfh9EiB8OTCI/3812418200",
  "token": "VLkybskPD-purQx1i8TXQ_Cx85v5KCSFIh1I0sP7sBQ",
  "keyAuthorization": "VLkybskPD-purQx1i8TXQ_Cx85v5KCSFIh1I0sP7sBQ.ymn7rrjFsLBQUTzWYgdoacDjsIe-B36saKrAYkAh2Tk"
})

The DNS-01 challenge was previously working fine, and my DNS slaves do the AXFR well within the wait period i've set (using pdns_api.sh, by the way), so i'm assuming this is directly related to the ACME v2 endpoint change?

[jangrewe]

I just checked with only the wildcard domain, so my domains.txt looked like this

*.betadiff.com > betadiff.com

This works, but i'd still like to have both the apex and the wildcard in the same cert, so i tried with the apex, the wildcard and also defining an alias:

betadiff.com *.betadiff.com > betadiff.com

And this now also works! So it looks like the alias is mandatory if you're using a wildcard?

[jangrewe]

Another observation, for a different domain: It only works if i first request the wildcard cert with an alias, and then add the apex and renew the certificate with the additional name (which doesn't need the alias anymore).

So for every domain i need two separate runs, first:

*.betadiff.com > betadiff.com

then:

betadiff.com *.betadiff.com

[bviktor]

Yes, the alias is mandatory for wildcard, see https://github.com/lukas2511/dehydrated/issues/483

[jangrewe]

Yes, i know that it's mandatory if you use only a wildcard, but it seemed as if it was also mandatory if you're using a wildcard (as the SAN only, so in theory no alias would be required) together with a regular domain name - because it worked for me on the second try, after successfully requesting a cert for only the wildcard first.

But...

... as my most recent comment showed, that assumption by me is not true - it just doesn't work at all (for me) if i request a cert for a regular domain with the wildcard as a SAN (with or without the alias), unless i first request it for only the wildcard (using the alias), and then for the domain and the wildcard combined (either with or without alias, again).

btw, is your (lukas2511) Amazon Wishlist still up to date? ;-)

[rudiedirkx]

Certificates like

betadiff.com *.betadiff.com

work perfectly for me. Does your DNS hook add and keep 2 records?

[jangrewe]

I've been using pdns_api.sh for quite some time now, and it worked fine "until yesterday". Some certs of mine have/had dozens of SANs, so that would mean that it's only broken for wildcards then...

I also wonder why it works on subsequent runs with multiple names, just not for the initial run.

[txr13]

Somebody else has the same issue with pdns in #504. Probably safe to say there's something wrong with either the hook or pdns itself.

Subsequent runs with multiple names are probably re-using the validations done from earlier, so you don't have to re-validate them simultaneously.

[lukas2511]

thanks @txr13, and @jangrewe yes, my wishlist is always up to date ;)

I'm going to lock this conversation so that new issues will land in their own tickets instead of this big collection, makes it easier for me (and others) to find duplicates :smile: