Python-acme ACMEv2 example?

Is there an example of using python-acme with ACMEv2 anywhere?

I use a home-grown Python script to retrieve certificates, and it needs to be migrated to the new protocol, but I haven't been able to find any documentation of how to do this anywhere.

1 Like

The EFF client certbot uses the acme python library (which seems to be the same as "python-acme"). The ACME Client Implementations says "a number of other clients" use it too, but I don't know one of those..

Isn't it easier to "just" choose one of the existing ACME clients? Or do you have specific reasons to build your own client upon an ACME client library?

1 Like

The EFF client certbot uses the acme python library (which seems to be the same as "python-acme"). The ACME Client Implementations says "a number of other clients" use it too, but I don't know one of those..

I am aware of certbot. I was hoping to avoid having to troll through the 364 Python files in the certbot repository to figure this out.

Isn't it easier to "just" choose one of the existing ACME clients? Or do you have specific reasons to build your own client upon an ACME client library?

NSS and SELinux support, among others.

1 Like

I strongly advise against writing your own, and using a fully functional acme client instead.

I am saying this from experience — I maintain a niche/complex client written in Python. It was originally based on acme-tiny and most of it was rewritten for acme2.

The new protocol is a bit more complex and there are certain implementation details that ISRG/LetsEncrypt chose when deploying their servers. The majority of acme clients can not handle acme errors correctly, nor do they implement challenge cleanups or adequate logging. IMHO, the odds of wedging your account or exceeding rate limits are fairly high with homegrown scripts.

If you really want to avoid certbot, there are dozens of smaller clients that you can use, but most are fairly limited in how they handle acme-errors/failures, and very very few have test suites.

2 Likes

For what it's worth, one bit of example code using our ACME Python library can be found at certbot/http01_example.py at 459a254aea3a9a5a6ac9f069ba446d93ce307a5c · certbot/certbot · GitHub. Another example from a real but more stripped down client than Certbot would be simp_le.

2 Likes

For what it's worth, one bit of example code using our ACME Python library can be found at certbot/http01_example.py at 459a254aea3a9a5a6ac9f069ba446d93ce307a5c

That's what I needed. With that example, I was able to re-write my client script to work with ACMEv2. The only significant issue that I hit was the "missing account URI" issue (see here) that seems like it's going to bite pretty much anyone migrating from v1 to v2.

For anyone who's interested, my new script is here. If I've made any obvious errors or missed important error checking, pointers are always welcome.

Thanks!

1 Like