during the last few days I manage to develop a simple Java ACME client but before publishing the code I have a issue to solve.
How should we (developing a client library) handle agreement between the customer and the CA ?
At the moment we ask the application using the library to provide the agreement URI to the library; is this enough ?
Where will developers found the links to the latest policy they need to agree in order to get certificates ?
this is an good question. Even more if there is an automated part for issuing certs for new domains.
How should it be handled if there is an agreement change.
I will have a response for you shortly.
When an ACME interaction occurs and a client signals that the potential new subscriber has agreed to the current Let’s Encrypt subscriber agreement, it must be true that the potential new subscriber has been given a chance to review the subscriber agreement and has explicitly agreed to be bound by its terms. The potential new subscriber’s review of the subscriber agreement can be done inside or outside or the client software, but the client must obtain confirmation from the potential new subscriber that he/she has reviewed and explicitly agrees to the subscriber agreement before the client software signals agreement. If the client signals agreement without receiving this confirmation, then the client is behaving improperly and the resulting certificate may be revoked.
If you are only providing a library then you’re probably not directly responsible for making sure this happens, it’s up to the client software using your library.
Thanks a lot for your reply.
I’ve updated the example client (using the current staging server) to make sure that the user using it have reviewed the agreement by asking the user to write the agreement url as a command line argument.
I’ve uploaded the code of the library on github here: https://github.com/zero11it/acme-client
Looking forward to tryout the beta.