search

shred / acme4j

Java client for ACME (Let's Encrypt)
https://acme4j.shredzone.org
Apache License 2.0
517 stars 94 forks source link

Allow AcmeServerException to accept multiple Problems #167

Open cowwoc opened 1 week ago

cowwoc commented 1 week ago

If you order a certificate for multiple domains, you will end up with multiple Problems (one per challenge that failed). Can you please have AcmeServerException accept a list of problems? You can keep the existing methods, if necessary, and have them return the first entry in the list. You can add new methods getTypes() and getProblems() to return the new list.

shred commented 1 week ago

For errors on multiple identifiers, the CA is supposed to use subproblems (see RFC 8555 Section 6.7.1). Maybe it would be more useful to adapt this, e.g. by collecting all problems into sub-problems of a newly created parent problem.

cowwoc commented 1 week ago

@shred That sounds like the right way to go. So for reference, I'm using Let's Encrypt's staging server, using the http-01 challenge, and requesting a certificate for two domains (e.g. foo.redacted.com and redacted.com)

In my case, the order.getStatus() returns INVALID but order.getError() returns Optional.empty(). I believe this is a bug (maybe in Let's Encrypt) because if you invoke order.getAuthorizations() you will get two entries, one of which returns this JSON:

{
    "identifier": {
        "type": "dns",
        "value": "foo.redacted.app"
    },
    "status": "invalid",
    "expires": "2024-10-22T16:38:07Z",
    "challenges": [
        {
            "type": "http-01",
            "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14439560183/-pBobg",
            "status": "invalid",
            "validated": "2024-10-15T16:38:07Z",
            "error": {
                "type": "urn:ietf:params:acme:error:connection",
                "detail": "104.247.245.31: Fetching https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo: Connection refused",
                "status": 400
            },
            "token": "JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
            "validationRecord": [
                {
                    "url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
                    "hostname": "foo.redacted.app",
                    "port": "80",
                    "addressesResolved": [
                        "104.247.245.31",
                        "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
                    ],
                    "addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
                },
                {
                    "url": "http://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
                    "hostname": "foo.redacted.app",
                    "port": "80",
                    "addressesResolved": [
                        "104.247.245.31",
                        "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
                    ],
                    "addressUsed": "104.247.245.31"
                },
                {
                    "url": "https://foo.redacted.app/.well-known/acme-challenge/JaU15BF1GdSW8W6ZodfDhthoHXZ7BUT-_kfC0CQ7XHo",
                    "hostname": "foo.redacted.app",
                    "port": "443",
                    "addressesResolved": [
                        "104.247.245.31",
                        "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
                    ],
                    "addressUsed": "2607:f2c0:b000:100:8036:ed1e:8927:fa5b"
                }
            ]
        }
    ]
}

Regardless of who's at fault, it would be better if acme4j returned a Problem with one sub-problem per failed authorization. Agreed?