Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement latest draft-ietf-acme-ari spec #461

Merged
merged 21 commits into from
May 24, 2024
Merged

Implement latest draft-ietf-acme-ari spec #461

merged 21 commits into from
May 24, 2024

Conversation

pgporada
Copy link
Member

@pgporada pgporada commented May 2, 2024
edited

The draft spec version at the time of this PR was draft-ietf-acme-ari-03, but failed replacement order handling is from the yet-to-be-released draft-ietf-acme-ari-04.

  • Add a renewalInfo entry to the directory object which provides the base URL for ARI requests.
  • Add a new WFE handlefunc which parses incoming requests and returns reasonable renewalInfo for determining when the client should attempt renewal of a certificate.
  • Add support for marking orders as replaced. Replacement orders can be chained, but there can be no duplicate replacement of orders, just like boulder.
  • Restructured the asynchronous finalization anonymous go func to handle storing replaced orders. To be replaced, an order must previously have been finalized and have an issued certificate.

Fixes #403

@pgporada pgporada mentioned this pull request May 2, 2024
Closed
@pgporada
Copy link
Member Author

pgporada commented May 10, 2024
edited

I've got a fork of eggsampler/acme that I've been working against. To test that against this branch:

# In the pebble dir
$ tmux

# Run challtestsrv, version doesn't particularly matter because we're not touching this code
$ docker rm challtestsrv 2>&1; docker run -p 5001:5001 -p 5002:5002 -p 5003:5003 -p 8053:8053 -p 8055:8055 -p 8443:8443 --name challtestsrv ghcr.io/letsencrypt/pebble-challtestsrv:latest

# Get the IP of that container
$ CHALLTESTSRV=$(docker inspect challtestsrv | jq -r '.[].NetworkSettings.Networks.bridge.IPAddress')

# Run pebble
$ go run cmd/pebble/main.go -config ./test/config/pebble-config.json -dnsserver ${CHALLTESTSRV}:8053

-----------------------------
# In the eggsampler repo
$ export PEBBLE_PATH=/path/to/pebble/on/your/computer
$ go test -test.run TestClient_IssueReplacementCert

@pgporada
Copy link
Member Author

pgporada commented May 14, 2024
edited

Replacement orders are now supported

Pebble 2024/05/14 16:36:21 Order "6it4fspAVD-CNbSI06L4iPf9l29mNpL6rkQi-XnICBo" is not a replacement
Pebble 2024/05/14 16:36:21 There are now 1 orders in the db
Pebble 2024/05/14 16:36:28 Order "4gw9BYS8UnmQnymq8HnxSQA8hOs5le0SkB34Ux1cfDQ" is a replacement of "6it4fspAVD-CNbSI06L4iPf9l29mNpL6rkQi-XnICBo"
Pebble 2024/05/14 16:36:28 There are now 2 orders in the db
Pebble 2024/05/14 16:37:11 Order "vOKNgiDK8aoTvYWC8Q6GJp49UYK-iGPD34vBDEwhnTs" is not a replacement
Pebble 2024/05/14 16:37:11 There are now 3 orders in the db
Pebble 2024/05/14 16:37:20 Order "s7mJpikMeEy8OL57wlwB54_kakew2g6ns6nit8VWuKQ" is a replacement of "vOKNgiDK8aoTvYWC8Q6GJp49UYK-iGPD34vBDEwhnTs"
Pebble 2024/05/14 16:37:20 There are now 4 orders in the db

aarongable
aarongable reviewed May 14, 2024
View reviewed changes
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Show resolved Hide resolved
@pgporada
Copy link
Member Author

pgporada commented May 17, 2024
edited

There's a race condition in wfe.FinalizeOrder at existingOrder := wfe.db.GetOrderByID(orderID) causing an error during manual testing with my eggsample/acme fork.

=== RUN   TestClient_IssueReplacementCert
    ari_test.go:66: Issuing initial order
    ari_test.go:73: Issuing first replacement order
    ari_test.go:80: Issuing second replacement order
    ari_test.go:83: unexpected error: acme: error code 403 "urn:ietf:params:acme:error:orderNotReady": Order's status ("pending") was not ready

vs

=== RUN   TestClient_IssueReplacementCert
    ari_test.go:66: Issuing initial order
    ari_test.go:73: Issuing first replacement order
    ari_test.go:80: Issuing second replacement order
    ari_test.go:87: Should not be able to create a duplicate replacement
--- PASS: TestClient_IssueReplacementCert (19.05s)
PASS

EDIT: This whole entire detour was actually an implementation bug in my eggsampler fork. 🤦🏼

@pgporada pgporada changed the title Begin implementing draft-ietf-acme-ari-03 Implement draft-ietf-acme-ari-03 May 17, 2024
@pgporada pgporada marked this pull request as ready for review May 17, 2024 18:39
@pgporada pgporada requested review from a team, jsha, aarongable and beautifulentropy and removed request for a team May 17, 2024 18:39
@pgporada pgporada mentioned this pull request May 17, 2024
Merged
aarongable
aarongable reviewed May 20, 2024
View reviewed changes
ca/ca.go Outdated Show resolved Hide resolved
core/types.go Outdated Show resolved Hide resolved
db/memorystore.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
aarongable
aarongable previously approved these changes May 20, 2024
View reviewed changes
ca/ca.go Outdated Show resolved Hide resolved
va/va.go Show resolved Hide resolved
@pgporada pgporada requested a review from aarongable May 21, 2024 14:13
@pgporada pgporada changed the title Implement draft-ietf-acme-ari-03 Implement latest draft-ietf-acme-ari spec May 21, 2024
aarongable
aarongable previously approved these changes May 23, 2024
View reviewed changes
beautifulentropy
beautifulentropy previously approved these changes May 23, 2024
View reviewed changes
Copy link
Member

@beautifulentropy beautifulentropy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking the time to get this added to Pebble!

Some nits regarding contexts that we're dropping, but nothing that means we can't merge. I think these are just some contexts params from the Boulder implementation which aren't necessary in the Pebble implementation?

wfe/wfe.go Show resolved Hide resolved
wfe/wfe.go Outdated Show resolved Hide resolved
@pgporada pgporada dismissed stale reviews from beautifulentropy and aarongable via 5940490 May 23, 2024 23:09
@pgporada pgporada merged commit db1f587 into main May 24, 2024
14 checks passed
@pgporada pgporada deleted the pARtI branch May 24, 2024 16:06
@orangepizza
Copy link
Contributor

it's sad that this mission latest release by just a day 😢

@pgporada
Copy link
Member Author

pgporada commented May 25, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha jsha was automatically assigned from letsencrypt/boulder-developers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ACME Renewal Information (ARI)
4 participants
@pgporada @orangepizza @aarongable @beautifulentropy