Compliance with ACMEv2 POST-as-GET API update

[delormejonathan]

Update http wrappers with a retry mecanism to avoid random API errors Add new http wrappers (ACME.get() & ACME.postAsGet()) to comply with POST-as-GET directive

Tested in ACMEv2 staging and production environment.

Note : i'm not a LUA developer, any comments are welcome

[anezirovic]

Hello, sorry for the delay, I'll review and test changes this week and probably merge it as is (the code looks fine to me).

Thank you for the contribution!

[mdeneen]

I have some certificates which will expire in about 20 days. I guess that I'll try this commit and see how things go.

[croaklumpish]

@mdeneen did it work for you?

I'm tried it and got the same result as with the current master version (ie. no pem, no output, just a 500 disconnect).

Please let me know. We also have certs that will expire soon-ish.

Thanks!

[mdeneen]

@croaklumpish No, it did not. I ended up using certbot temporarily.

[delormejonathan]

Did you restart HAProxy service ? a reload is not enough Did you update your letsencrypt-x3-ca-chain.pem with the latest certs ? (see README)

I have a debug version of this script : https://gist.github.com/delormejonathan/fe1abef007234e6f89e33318ac2d546f

Could you post the log output with this debug version ?

[nezirus]

Hey guys, it's nice to see the discussion going on. I've added ACME draft docs and diff in the latest commit, for easier comparison. If it easier for you, I'm available for chat today in the official slack channel.

[anezirovic]

It took me a while to figure out that we might have some internal Lua API problems (applet:receive() doesn't work correctly) in later HAProxy versions (2.2 and later). I've only tested with Lua 5.4. Will retest the other Lua versions and submit necessary patches for HAProxy core Lua bindings.

However, the ACME Lua code works as is on HAProxy 2.0 and 2.1, tested it with Let's Encrypt staging and prod environments, real certs got issued. Hence, I've merge it.

Thanks again @delormejonathan, nice work! I've expected that major modifications were necessary for v2 ACME API, nice to be wrong.