gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 23:28:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(M45): ACME certificate profile selection, ARI RFC 9773 renumber, 45-day renewal positioning

Browse Source 
Three related ACME ecosystem changes shipped as a single milestone:

1. ACME Certificate Profile Selection: Custom JWS-signed newOrder POST with
   `profile` field (e.g., `tlsserver`, `shortlived` for 6-day certs) bypassing
   acme.Client.AuthorizeOrder() since golang.org/x/crypto lacks profile support.
   ES256 JWS signing with kid mode, nonce management, directory discovery.
   Empty profile delegates to standard library path (zero behavior change).
   Configurable via CERTCTL_ACME_PROFILE env var. GUI: profile dropdown on
   ACME issuer config.

2. ARI RFC 9702 → 9773 Renumber: All 25+ references updated across Go source,
   docs, README, and examples. Zero remaining occurrences of RFC 9702.

3. 45-Day / Short-Lived Certificate Positioning: 5 domain tests validating
   renewal thresholds against SC-081v3 validity reduction timeline (200→100→47
   days) and Let's Encrypt 45-day/6-day profiles. ARI (RFC 9773) is the
   expected renewal path for 6-day shortlived certs.

New tests: 13 profile + 5 domain threshold + 1 frontend = 19 new tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-04-05 13:52:13 -04:00
parent 3cf75ffb73
commit 104ded63ca
21 changed files with 933 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/acme/acme.go
+18 -3
View File
@@ -56,7 +56,13 @@ type Config struct {
// Required when ChallengeType is "dns-persist-01". For Let's Encrypt, use "letsencrypt.org".
DNSPersistIssuerDomain string `json:"dns_persist_issuer_domain,omitempty"`
// ARIEnabled enables ACME Renewal Information (RFC 9702) support per CERTCTL_ACME_ARI_ENABLED.
// Profile selects the ACME certificate profile for the newOrder request.
// Let's Encrypt supports "tlsserver" (standard TLS, default) and "shortlived" (6-day certs).
// Leave empty for the CA's default profile (backward-compatible).
// See: https://letsencrypt.org/2025/01/09/acme-profiles.html
Profile string `json:"profile,omitempty"`
// ARIEnabled enables ACME Renewal Information (RFC 9773) support per CERTCTL_ACME_ARI_ENABLED.
// When enabled, the connector queries the CA's ARI endpoint to get CA-directed renewal timing.
ARIEnabled bool `json:"ari_enabled,omitempty"`
@@ -184,6 +190,15 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
return fmt.Errorf("invalid challenge_type: %s (must be http-01, dns-01, or dns-persist-01)", cfg.ChallengeType)
}
// Validate profile if set (alphanumeric + hyphens only)
if cfg.Profile != "" {
for _, ch := range cfg.Profile {
if !((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') || ch == '-') {
return fmt.Errorf("invalid profile: %q (must contain only alphanumeric characters and hyphens)", cfg.Profile)
}
}
}
// DNS-01 and DNS-PERSIST-01 require a present script
if (cfg.ChallengeType == "dns-01" || cfg.ChallengeType == "dns-persist-01") && cfg.DNSPresentScript == "" {
return fmt.Errorf("dns_present_script is required for %s challenge type", cfg.ChallengeType)
@@ -355,8 +370,8 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
// Build the list of identifiers (domains)
identifiers := buildIdentifiers(request.CommonName, request.SANs)
// Step 1: Create order
order, err := c.client.AuthorizeOrder(ctx, identifiers)
// Step 1: Create order (with optional profile for CAs that support it)
order, err := c.authorizeOrderWithProfile(ctx, identifiers, c.config.Profile)
if err != nil {
return nil, fmt.Errorf("failed to create ACME order: %w", err)
}