Registration Authorizations and Certificates URIs

weppos · January 21, 2016, 5:04pm

According to the source code of the official client, the registration resource should have an authorizations URI and a certificates URI.

class Registration(ResourceBody):
    """Registration Resource Body.

    :ivar acme.jose.jwk.JWK key: Public key.
    :ivar tuple contact: Contact information following ACME spec,
        `tuple` of `unicode`.
    :ivar unicode agreement:
    :ivar unicode authorizations: URI where
        `messages.Registration.Authorizations` can be found.
    :ivar unicode certificates: URI where
        `messages.Registration.Certificates` can be found.

    """

Those values are expected to be returned as fields in the response body, along with the other fields (such as contact).

    key = jose.Field('key', omitempty=True, decoder=jose.JWK.from_json)
    contact = jose.Field('contact', omitempty=True, default=())
    agreement = jose.Field('agreement', omitempty=True)
    authorizations = jose.Field('authorizations', omitempty=True)
    certificates = jose.Field('certificates', omitempty=True)

However, when I perform a request in staging to get the details of the registration, staging doesn’t return these two fields:

 => {"id"=>110xxx, "key"=>{"kty"=>"RSA", "n"=>"xxx", "e"=>"xxx"}, "contact"=>["mailto:example@example.com"], "agreement"=>"https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf", "initialIp"=>"82.xxx", "createdAt"=>"xxxx-xx-xxT16:49:58Z"}

I already issued a test certificate, and completed two challenges. Therefore these links should be available. Am I missing something?

tlussnig · January 22, 2016, 6:33am

Hi, i also implement an client an with GET request on the directory URL i receive the urls:

weppos · January 22, 2016, 10:47am

I’m not sure I understood your reply. It seems to be incomplete and difficult to understand.

tlussnig · January 22, 2016, 11:12am

Sorry i did misunderstood your question. I thought you mean the entry points.

weppos · January 24, 2016, 4:26pm

After further investigations, I came to the conclusion that the Authorization and Certificates URIs are not currently supported (nor returned) by Let’s Encrypt.

These URIs were introduced in the client in this commit https://github.com/letsencrypt/letsencrypt/commit/79853fa098ac480534196bfd24ddb6b66a3c286f as part of the PR #576 with the goal to support letsencrypt/acme-spec#134. However, Boulder currently doesn’t support that specification section and there is an open ticket letsencrypt/boulder#423.

Long story short, at the time being the client provides the ability to fetch the Authorizations and Certificates URIs from Boulder, but Boulder doesn’t provide them. The assumption also seems to be confirmed by the current implementation of the Registration handler in Boulder.

github.com

letsencrypt/boulder/blob/3214245240ecdd43ac2f30ef287b7f634f95e2ab/wfe/web-front-end.go#L965-L1036


func (wfe *WebFrontEndImpl) Registration(logEvent *requestEvent, response http.ResponseWriter, request *http.Request) {


	body, _, currReg, prob := wfe.verifyPOST(logEvent, request, true, core.ResourceRegistration)
	if prob != nil {
		// verifyPOST handles its own setting of logEvent.Errors
		wfe.sendError(response, logEvent, prob, nil)
		return
	}


	// Requests to this handler should have a path that leads to a known
	// registration
	idStr := parseIDFromPath(request.URL.Path)
	id, err := strconv.ParseInt(idStr, 10, 64)
	if err != nil {
		logEvent.AddError("registration ID must be an integer, was %#v", idStr)
		wfe.sendError(response, logEvent, probs.Malformed("Registration ID must be an integer"), err)
		return
	} else if id <= 0 {
		msg := fmt.Sprintf("Registration ID must be a positive non-zero integer, was %d", id)
		logEvent.AddError(msg)

This file has been truncated. show original

As a consequence, I assume it’s currently not possible to get a list of issued certificates for an existing account, nor the list of valid authorizations.