Stonemax/acme2 finished ACME version2 implementation

man · 2018-03-06 08:57:26 UTC

Hi

stonemax/acme2, has finished implementation ACME version2 under the master git branch.

I’ve created a pull request to the letsencrypt website; https://github.com/letsencrypt/website/pull/260

_az · 2018-03-06 09:46:42 UTC

Cool. May I ask why you decided not to use curl functions? In various places the client does not seem like it would handle HTTP redirects correctly.

For example in checkHttpChallenge, it is valid for the website to redirect the resource to another domain or URL, but the function would prematurely give a false negative.

Another minor issue with the pre-flight check, the HTTP challenge must start over port 80, so this function would result in a false positive if port 443 succeeds but port 80 doesn’t:

github.com

stonemax/acme2/blob/1de1aa2665e9728c2dcf9e39b5c0bf177cd75238/src/helpers/CommonHelper.php#L78


 * Check http challenge locally
 * @param string $domain
 * @param string $fileName
 * @param string $fileContent
 * @return bool
 */
public static function checkHttpChallenge($domain, $fileName, $fileContent)
{
    $baseUrl = "{$domain}/.well-known/acme-challenge/{$fileName}";


    foreach (['http', 'https'] as $schema)
    {
        $url = "{$schema}://$baseUrl";


        try
        {
            list(, , $body) = RequestHelper::get($url);
        }
        catch (RequestException $e)
        {
            continue;

man · 2018-03-06 11:43:06 UTC

Thanks for your advise！

curl is a good tool, I choosed to use fsoekopen because it’s lightweight and flexible. But I didn’t consider the aspect of HTTP redirects indeed, so I had switched the request provider from fsockopen to curl.

As for the HTTP challenge, I had forced the challenge to be accomplished via http.

All codes had been pushed to github and merged to master branch.

Thanks for you advise again！

cpu · 2018-03-06 13:10:16 UTC

Thanks @man! Merged

system · 2018-04-05 13:10:44 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.