search

fszlin / certes

A client implementation for the Automated Certificate Management Environment (ACME) protocol
MIT License
552 stars 122 forks source link

Error Accessing Existing Account #316

Closed InteXX closed 11 months ago

InteXX commented 11 months ago

Per the documentation, we're to use an existing ACME account like so:

// Load the saved account key
var accountKey = KeyFactory.FromPem(pemKey);

But there's no discussion on where to get this key if we have an account but have never renewed using Certes.

I tried using both a .DER and a .PEM as exported from my website's TLS certificate (by Let's Encrypt), but I encountered errors with each:

  1. DER — "illegal object in GetInstance: Org.BouncyCastle.Asn1.DerSequence"
  2. PEM — "Specified method is not supported"

Clearly I'm using the wrong .DER/.PEM. But where are the correct ones?

Where are we supposed to get these from?

--EDIT--

Here's my code:

Dim oAuthorization As IAuthorizationContext
Dim oPrivateKey As IKey
Dim oChallenge As IChallengeContext
Dim oPublicKey As IKey
Dim oAccount As IAccountContext
Dim sDnsText As String
Dim oResult As Challenge
Dim sPemKey As String
Dim aDerKey As Byte()
Dim oChain As CertificateChain
Dim oOrder As IOrderContext
Dim oAcme As AcmeContext
Dim oInfo As CsrInfo
Dim oEx As Exception

Try
  sPemKey = File.ReadAllText("E:\Users\Work\Desktop\domain.com.pem")
  aDerKey = File.ReadAllBytes("E:\Users\Work\Desktop\domain.com.der")
  oPublicKey = KeyFactory.FromPem(sPemKey)
  oPublicKey = KeyFactory.FromDer(aDerKey)
  oAcme = New AcmeContext(WellKnownServers.LetsEncryptStagingV2, oPublicKey)
  oAccount = Await oAcme.Account
  oOrder = Await oAcme.NewOrder(Domains)
  oAuthorization = (Await oOrder.Authorizations).First
  oChallenge = Await oAuthorization.Dns
  sDnsText = oAcme.AccountKey.DnsTxt(oChallenge.Token)

  Do            ' <----- Prototype: will break here for manual addition of TXT record to DNS
    Await Task.Delay(1000)
    oResult = Await oChallenge.Validate
  Loop Until oResult.Status.Value <> ChallengeStatus.Processing   ' < ----- What's the difference between Pending and Processing?

  If oResult.Status.Value = ChallengeStatus.Valid Then
    oInfo = New CsrInfo With {
      .CountryName = "SomeCountry",
      .State = "SomeState",
      .Locality = "SomeTown",
      .Organization = "SomeOrg",
      .OrganizationUnit = "SomeUnit",
      .CommonName = "domain.com"
    }

    oPrivateKey = KeyFactory.NewKey(KeyAlgorithm.ES256)
    oChain = Await oOrder.Generate(oInfo, oPrivateKey)

    sPemKey = oChain.ToPem
    File.WriteAllText("E:\Users\Work\Desktop\domain2.com.pem", sPemKey)
  End If

Catch ex As Exception
  oEx = ex

End Try
InteXX commented 11 months ago

Per Let's Encrypt support, new account creation has minimal impact. Accounts are not tied to email addresses and addresses can be used multiple times; they are not unique identifiers.

The only impact in the case of a lost (or unavailable) key and subsequent new account creation will be the loss of any rate limiting adjustment previously requested and delegated to the old account.

That said, it may be preferable to obtain and store the account key for future use, after creating a new account because no key was available. That decision, of course, depends upon each individual use case.