From: Lukas Schauer Date: Tue, 6 Feb 2018 20:57:01 +0000 (+0100) Subject: read url to terms of service from ca directory X-Git-Tag: v0.6.0~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dec5ad58400572ad95dc066c9e7273b5a647cf78;p=thirdparty%2Fdehydrated.git read url to terms of service from ca directory --- diff --git a/CHANGELOG b/CHANGELOG index 6281cf7..828f144 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,6 +4,7 @@ This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ## Changed - Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support) +- Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory) ## Added - Support for ACME v02 (including wildcard certificates!) diff --git a/dehydrated b/dehydrated index 375c907..80db794 100755 --- a/dehydrated +++ b/dehydrated @@ -111,8 +111,6 @@ load_config() { # Default values CA="https://acme-v01.api.letsencrypt.org/directory" - CA_TERMS="https://acme-v01.api.letsencrypt.org/terms" - LICENSE= CERTDIR= ACCOUNTDIR= CHALLENGETYPE="http-01" @@ -275,6 +273,7 @@ init_system() { CA_NEW_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-cert)" && CA_NEW_AUTHZ="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-authz)" && CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" && + CA_TERMS="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value terms-of-service)" && CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" || _exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint." # Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part @@ -284,6 +283,7 @@ init_system() { CA_NEW_ORDER="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newOrder)" && CA_NEW_NONCE="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newNonce)" && CA_NEW_ACCOUNT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newAccount)" && + CA_TERMS="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value termsOfService)" && CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revokeCert)" || _exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint." # Since acct URI is missing from directory we will assume it is the same as CA_NEW_ACCOUNT without the new part @@ -303,23 +303,12 @@ init_system() { else # Check if private account key exists, if it doesn't exist yet generate a new one (rsa key) if [[ ! -e "${ACCOUNT_KEY}" ]]; then - REAL_LICENSE="$(http_request head "${CA_TERMS}" | (grep Location: || true) | awk -F ': ' '{print $2}' | tr -d '\n\r')" - if [[ -z "${REAL_LICENSE}" ]]; then + if [[ ! "${PARAM_ACCEPT_TERMS:-}" = "yes" ]]; then printf '\n' >&2 - printf 'Error retrieving terms of service from certificate authority.\n' >&2 - printf 'Please set LICENSE in config manually.\n' >&2 + printf 'To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: %s\n\n' "${CA_TERMS}" >&2 + printf 'To accept these terms of service run `%s --register --accept-terms`.\n' "${0}" >&2 exit 1 fi - if [[ ! "${LICENSE}" = "${REAL_LICENSE}" ]]; then - if [[ "${PARAM_ACCEPT_TERMS:-}" = "yes" ]]; then - LICENSE="${REAL_LICENSE}" - else - printf '\n' >&2 - printf 'To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: %s\n\n' "${REAL_LICENSE}" >&2 - printf 'To accept these terms of service run `%s --register --accept-terms`.\n' "${0}" >&2 - exit 1 - fi - fi echo "+ Generating account key..." _openssl genrsa -out "${ACCOUNT_KEY}" "${KEYSIZE}" @@ -348,9 +337,9 @@ init_system() { if [[ "${FAILED}" = "false" ]]; then if [[ ${API} -eq 1 ]]; then if [[ -n "${CONTACT_EMAIL}" ]]; then - (signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"], "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true + (signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"], "agreement": "'"${CA_TERMS}"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true else - (signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "agreement": "'"$LICENSE"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true + (signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "agreement": "'"${CA_TERMS}"'"}' > "${ACCOUNT_KEY_JSON}") || FAILED=true fi else if [[ -n "${CONTACT_EMAIL}" ]]; then @@ -1445,7 +1434,7 @@ command_help() { command_env() { echo "# dehydrated configuration" load_config - typeset -p CA LICENSE CERTDIR CHALLENGETYPE DOMAINS_D DOMAINS_TXT HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE + typeset -p CA CERTDIR CHALLENGETYPE DOMAINS_D DOMAINS_TXT HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE } # Main method (parses script arguments and calls command_* methods) diff --git a/docs/examples/config b/docs/examples/config index 7d6497a..074331d 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -24,12 +24,6 @@ # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) #CA="https://acme-v01.api.letsencrypt.org/directory" -# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms) -#CA_TERMS="https://acme-v01.api.letsencrypt.org/terms" - -# Path to license agreement (default: ) -#LICENSE="" - # Which challenge should be used? Currently http-01 and dns-01 are supported #CHALLENGETYPE="http-01" diff --git a/docs/staging.md b/docs/staging.md index 213ff57..297db58 100644 --- a/docs/staging.md +++ b/docs/staging.md @@ -9,5 +9,4 @@ To avoid this, please set the CA property to the Let’s Encrypt staging server ```bash CA="https://acme-staging.api.letsencrypt.org/directory" -CA_TERMS="https://acme-staging.api.letsencrypt.org/terms" ``` diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index bea2c35..2cf421c 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -11,12 +11,6 @@ the current workaround is to move `private_key.pem` (and, if you care, `private_ This will hopefully be fixed in the future. -## "Provided agreement URL [LICENSE1] does not match current agreement URL [LICENSE2]" - -Set LICENSE in your config to the value in place of "LICENSE2". - -LICENSE1 and LICENSE2 are just placeholders for the real values in this troubleshooting document! - ## "Error creating new cert :: Too many certificates already issued for: [...]" This is not an issue with dehydrated but an API limit with boulder (the ACME server).