Registration Authorizations and Certificates URIs


#1

According to the source code of the official client, the registration resource should have an authorizations URI and a certificates URI.

class Registration(ResourceBody):
    """Registration Resource Body.

    :ivar acme.jose.jwk.JWK key: Public key.
    :ivar tuple contact: Contact information following ACME spec,
        `tuple` of `unicode`.
    :ivar unicode agreement:
    :ivar unicode authorizations: URI where
        `messages.Registration.Authorizations` can be found.
    :ivar unicode certificates: URI where
        `messages.Registration.Certificates` can be found.

    """

Those values are expected to be returned as fields in the response body, along with the other fields (such as contact).

    key = jose.Field('key', omitempty=True, decoder=jose.JWK.from_json)
    contact = jose.Field('contact', omitempty=True, default=())
    agreement = jose.Field('agreement', omitempty=True)
    authorizations = jose.Field('authorizations', omitempty=True)
    certificates = jose.Field('certificates', omitempty=True)

However, when I perform a request in staging to get the details of the registration, staging doesn’t return these two fields:

 => {"id"=>110xxx, "key"=>{"kty"=>"RSA", "n"=>"xxx", "e"=>"xxx"}, "contact"=>["mailto:example@example.com"], "agreement"=>"https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf", "initialIp"=>"82.xxx", "createdAt"=>"xxxx-xx-xxT16:49:58Z"}

I already issued a test certificate, and completed two challenges. Therefore these links should be available. Am I missing something?


#2

Hi, i also implement an client an with GET request on the directory URL i receive the urls:


#3

I’m not sure I understood your reply. It seems to be incomplete and difficult to understand.


#4

Sorry i did misunderstood your question. I thought you mean the entry points.


#5

After further investigations, I came to the conclusion that the Authorization and Certificates URIs are not currently supported (nor returned) by Let’s Encrypt.

These URIs were introduced in the client in this commit https://github.com/letsencrypt/letsencrypt/commit/79853fa098ac480534196bfd24ddb6b66a3c286f as part of the PR #576 with the goal to support letsencrypt/acme-spec#134. However, Boulder currently doesn’t support that specification section and there is an open ticket letsencrypt/boulder#423.

Long story short, at the time being the client provides the ability to fetch the Authorizations and Certificates URIs from Boulder, but Boulder doesn’t provide them. The assumption also seems to be confirmed by the current implementation of the Registration handler in Boulder.

As a consequence, I assume it’s currently not possible to get a list of issued certificates for an existing account, nor the list of valid authorizations.