jgnagy / bullion Goto Github PK

Hi, it's me again :)

I'm not sure if I'm doing something wrong but when trying to request a cert with certbot like so:
certbot certonly --server http://acme.example.com:9292/acme/directory --domain ldap.example.com --standalone

I get this error:
An unexpected error occurred: acme.errors.ClientError: "up" Link header missing

I'm sure I must have overlooked something - can you tell me what I'm doing wrong?
Thanks!

The keyChange is provided by the directory, but it isn't actually supported yet...

Per the ACMEv2 RFC, servers should implement the EdDSA JWT signature algorithm.

the expected challenge thumbprint doesn't match the one provided by the certbot server.
not sure how certbot even learns what thumbprint it should provide so I couldn't debug more, sorry.
this is what I have (I added the debug output):

`10.9.10.10 - - [28/Jan/2024:06:24:32 +0000] "POST /acme/authorizations/4 HTTP/1.1" 200 - 0.0091
D, [2024-01-28T06:24:32.407556 #24341] DEBUG -- : HTTP-01 connected to http://ldap.example.com/.well-known/acme-challenge/Hh7FIHd8HzmI4tOezqa7XNtyTjlbUhSTGkBE3ZyC3PLGrYcn

D, [2024-01-28T06:24:32.410131 #24341] DEBUG -- : Chlnge Token: Hh7FIHd8HzmI4tOezqa7XNtyTjlbUhSTGkBE3ZyC3PLGrYcn, thumbprint: fd95c98168b6eba6f84c29400ec4562e5d1196e5bff710b8a5e755a7d421f21b

D, [2024-01-28T06:24:32.410201 #24341] DEBUG -- : Result Token: Hh7FIHd8HzmI4tOezqa7XNtyTjlbUhSTGkBE3ZyC3PLGrYcn, thumbprint: 6KTbsniqZCH95q3Zp0gCGGf6vH9EI0muO054n4LKm_Q`

Hello,

when trying to use this for a new CA I get this error when trying to create a new account.

OpenSSL::PKey::PKeyError - pkeys are immutable on OpenSSL 3.0

This seems to be a problem in lib/bullion/helpers/ssl.rb:48.

Any chance you could fix this for use with OpenSSL 3.0?

Thanks!

Most modern CA's support OCSP and so should Bullion.

There aren't any rspec tests for the challenge clients. This requires controlling how the clients actually perform their challenge verification.

The revokeCert is provided by the directory, but it isn't actually supported yet...

Technically, it should be possible to support ECDSA for certificates, but it needs to be verified via testing.

While the current CI process produces a Docker image, it isn't published automatically yet. Roxanne is capable of this, so this functionality should be added.

Current testing doesn't cover actual challenge thumbprint verification because of the rspec challenge clients.

Given the abstract Bullion::ChallengeClient class, it should be possible to modularize challenge clients to support custom types for non-standard use-cases.

Bullion should be refactored to support custom plugins for new challenge types.

Hi,

I'm not sure how to describe this but issued certificates seem invalid.
I checked the fullchain.pem on https://tools.keycdn.com/ssl and it is not happy.
openssl verify also gives me this:
error 7 at 0 depth lookup: certificate signature failure
If you need more info let me know.

Edit: I'm still using certbot