search

diafygi / acme-tiny

A tiny script to issue and renew TLS certs from Let's Encrypt
MIT License
4.73k stars 572 forks source link

Using the previous CA (acme-v01.api.letsencrypt) doesn't work, leads to keyError about 'newAccount' #225

Closed alexAubin closed 5 years ago

alexAubin commented 5 years ago

I see that there are some code to ensure backward compatibility with CA different from the default (now acme-v02) but I found that it leads to a keyError about newAccount in there :

 _send_signed_request(directory['newAccount'], reg_payload, "Error registering")

Using pdb, directory indeed does not contain a key newAccount : 

(Pdb) pp directory
{u'abcdef123456': u'https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417',
 u'key-change': u'https://acme-v01.api.letsencrypt.org/acme/key-change',
 u'meta': {u'caaIdentities': [u'letsencrypt.org'],
           u'terms-of-service': u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf',
           u'website': u'https://letsencrypt.org'},
 u'new-authz': u'https://acme-v01.api.letsencrypt.org/acme/new-authz',
 u'new-cert': u'https://acme-v01.api.letsencrypt.org/acme/new-cert',
 u'new-reg': u'https://acme-v01.api.letsencrypt.org/acme/new-reg',
 u'revoke-cert': u'https://acme-v01.api.letsencrypt.org/acme/revoke-cert'}

On my side I fixed my code just switching to acme-v02 so it's not a big deal, but maybe it is for other people ... Anyway thanks for your awesome work ! :stuck_out_tongue_winking_eye:

felixfontein commented 5 years ago

acme-tiny is now ACME v2 only. So it is expected to not work with the Let's Encrypt ACME v1 endpoint. Where do you see compatibility code for ACME v1? I guess that could be removed to make the code shorter.

alexAubin commented 5 years ago

From what I understand it's here (c.f. the comment at the end of the line) ? https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py#L105

felixfontein commented 5 years ago

No, that's only because the CA parameter is deprecated, and directory_url is preferred. That's related to people using acme_tiny as a library, not to whether ACME v1 or v2 is used.

alexAubin commented 5 years ago

Ah yes indeed :sweat_smile: Well I guess it's okay then, probably can be flagged as "not an actual issue" or idk ... (To be honest I do use the code as a library and just brutally updated the code and found out about this :sweat_smile: )

felixfontein commented 5 years ago

It's best to stick to the current version of acme_tiny (and the directory_url) argument, especially since ACME v2 is here to stay (the protocol is now an RFC: https://tools.ietf.org/html/rfc8555). The ACME v1 endpoint will gradually be shut down, starting by November 2019 until it is completely turned off in June 2021 (see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for what will probably stop working when).

diafygi commented 5 years ago

Correct, ACME v2 is the only API supported at this point.