Asynchronous support for certificate issuance?


#1

Why doesn’t certbot support the certbot spec in terms of how certificates are generated?

Here’s the relevant part of the spec:

That section states that certificates do not have to be generated at the time of the new-cert request. If the certificate cannot be generated, the server should respond with an empty response along with the URL which can be polled in order to get the certificate.

I looked at the certbot code related to this and certbot doesn’t implement this. certbot only works when the certificate is downloaded at the time of the new-cert request.

Are there plans to add this support? This is a big departure from the letsencrypt acme spec, let alone the original acme spec.

Thanks.


#2

I’m not sure if Boulder uses that part of the specs… Without other CA’s using ACME, there’s currently no apparent reason to code that feature into certbot.


#3

Hi @laran,

I replied to both your Boulder comment and the Certbot comment that asked this question already.

You’re looking at the wrong specification! That’s the very first draft of ACME and isn’t the correct Github repo. At the top of the letsencrypt/acme-spec repo it says that it is deprecated. Please refer to my response on the Boulder comment, the IETF repo and the current draft.


#4

That helps @cpu. Thank you. But certbot is even further from the official spec than it is from the deprecated version that I was looking at. certbot doesn’t support applications, let alone orders.

Is certbot and letsencrypt planning to move toward the official spec draft (orders, etc.)?

Thanks.


#5

Yup! We also characterize the places we know Boulder diverges from the current most draft in the Boulder documentation.

Once the specification has finalized the Boulder team intends to support the order flow and the other changes that have bubbled up since draft-03 as a new ACME endpoint for Boulder. We haven’t announced a specific target date to switch over (until finalized as an RFC the specification is a moving target).

We’ve also started developing a test harness that uses the new order flow under the pebble repository. Similarly, @jsha has been working on Certbot side changes to support the newer protocol in a separate “acme-v2” branch on Certbot (right now the changes are limited to the acme module and the chisel2 tool, not the certbot command).


#6

Perfect answer :slight_smile: +1 Thanks!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.