Wildcard and ACME v2 support?

janeczku / haproxy-acme-validation-plugin

:four_leaf_clover: Zero-downtime ACME / Let's Encrypt certificate issuing for HAProxy

MIT License

291 stars 50 forks source link

Wildcard and ACME v2 support? #19

Open jamshid opened 5 years ago

jamshid commented 5 years ago

Thanks for this it's been working great for past couple of years but I'm wanting to get a wildcard certificate and letsencrypt FAQ says that requires ACME v2 api. This tool uses v1 api.

Are there plans to upgrade this tool to v2 or should I switch to https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ ?

rmbolger commented 5 years ago

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

mdeneen commented 4 years ago

There is a timeline now. :-)

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

zenny commented 3 years ago

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

@janeczku With LE policy not to let ACME-v01 for the new authorizations, it would be nice if this plugin gets updated to accommodate ACME-v02 as ACME-01 gets deprecated in November 2020.

Cheers, and stay safe,

mdeneen commented 3 years ago

Zenny,

It looks like HAProxy has integrated their own ACME v2 support: https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/

-M

jamshid commented 3 years ago

Hmm that blog article was deleted, here is a snapshot: https://web.archive.org/web/20180623203616/https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ It seems to reference this github project but that plugin might not be working with latest letsencrypt (https://github.com/haproxytech/haproxy-lua-acme/issues/5) ? I guess ACME v2 really was a draft and it went through late changes. https://github.com/haproxytech/haproxy-lua-acme

ryansch commented 3 years ago

I'm using acme-http01-webroot.lua with certbot. The http-01 challenge is still supported in ACME v2 so I would assume this project would continue working.

Did I miss something?