Help..this is new to me


#1

I am using https://github.com/ebekker/ACMESharp as the ACME client and stumbling through trying to figure out how to eventually get a certificate. So far I’m stuck on completing challenges.

I have made a registration and I got back a URL that looked like https://acme-v01.api.letsencrypt.org/acme/authz/{randomGUID1}

When I enter that URL into my browser I see something like this.

{“identifier”:{“type”:“dns”,“value”:"{mydomain.com}"},“status”:“pending”,“expires”:“2016-01-07T17:35:37Z”,“challenges”:[{“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/{randomGUID2}/3658493",“token”:"{randomToken1}"},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/{randomGUID2}/3658494”,“token”:"{randomToken2}"}],"combinations”:[[0],[1]]}

I think I understand that this represents 2 challenges for me to do [http-01 and tls-sni-01]. I have access to the domain settings and the web application. How do I complete these challenges manually?

I expect to have to change some information on the DNS and/or add a file to the website but I don’t know exactly what to do

Thanks and I hope this makes sense.


#2

OK, let me get this straight… You’re using some sort of client, but also enter protocol specific URI’s into your browser? Isn’t that contradictory? The client should handle all those authz URI’s, right? Why do you enter them into your browser?


#3

Well I just wanted to look at it in my browser to see what it looked like to see if I could figure out what to do. The client is suppose to handle things but I could not figure out what to do for the manual configurations.

The client documentation here has a concept of Providers to help complete challenges. https://github.com/ebekker/ACMESharp/wiki/Example-Usage#defining-providers

However, I think the only one’s I can do are manual because I am using Azure shared hosting. The client documentation says it only supports 2 challenge types [dns-01 and http-01]. When I looked at the https://acme-v01.api.letsencrypt.org/acme/authz/{randomGUID1} url I saw http-01 and tls-sni-01. I’m wondering if this means the client I am using is not able to complete tls-sni-01 types, but I have no idea what that is so I just don’t know.

Does that help?


#4

According to the docs for that client, it can only handle http-01 and dns-01. The letsencrypt CA can currently handle only http-01 and tls-sni-01. Since the only challenge in common is http-01, that’s the one you’ll have to use. That will involve placing a specified file at /.well-known/acme-challenge, containing specified contents, for the CA to read to confirm that you do, in fact, control the domain for which you’re requesting the certificate.


#5

Ok…I did not know if I had to use both or if just one was sufficient. I now understand more about http-01. Thanks danb35.

The follow-up question is the order of operations of http-01. For example, am I suppose to tell ACME the location on my website or does it dictate to me the location? I assume after I send in the challege request, it will give me back the file I need right?


#6

Unfortunately, I’m not really familiar with this client, so I can’t say exactly how things should go there. Perhaps a description of how things work with the official client would help, though.

With the official client, you enter a command line specifying all the domains you want that certificate to cover, and specifying manual mode. The client interacts with the server for a bit, and then gives you this challenge:
Make sure your web server displays the following content at http://privateserver.yourdomain.tld/.well-known/acme-challenge/U8AGPrh8wTM9wYpaOGUmfihZezzoLrCAhspJYeO-lsc before continuing:
``
U8AGPrh8wTM9wYpaOGUmfihZezzoLrCAhspJYeO-lsc.oYz0Q5G7t8oAAhKBGu6Y9InuE1eP2CRhR-RtUVXvloc

If you’ve specified multiple hostnames, you’ll see a similar challenge for each of them. The location on your website will always be at /.well-known/acme-challenge, but the name of the individual file, and its contents, will change. You’ll need to create a file on your web server that can be viewed at the specified URL, and fill it with the specified contents, and then continue. At that point, the server will verify that the file is there, and issue the certificate.

I hope you can adapt this to be helpful with the client you’re using. If not, maybe you can post the exact output it’s giving you that has you confused, and someone here can get a better idea of what’s going on. It also looks like there’s a Google Groups forum for this client at https://groups.google.com/forum/#!forum/acmesharp which may also be helpful.