Where can I find automated cert request/retrieval requirements?

I’m developing a consumer product that includes an embedded webserver that will be accessed over the internet using web browsers. I’d would like to automate the Let’s Encrypt cert request/install/renewal process for users who acquire a domain name. Existing clients appear to be designed to run under an operating system, and won’t work for my application. Is there any documentation that I could use as a guide for developing my own client?

Hi @Mxyxptlik,

The best documentation for writing an ACME v2 client is the draft RFC. You will also probably want to subscribe to the API announcements category of the forum.

Will your consumer product support automatic updates? I strongly recommend you don't ship an ACME client or use Let's Encrypt certificates if you aren't able to regularly update the software on the consumer product. There are API changes and deprecations of challenge types that could easily break certificate renewal in the future without updates.

4 Likes

My product will support automatic firmware updates. I’ll check out the draft RFC and subscribe to API announcements.

Thanks for the quick response!

5 Likes

Depending on how minimalist you need to be, it might also be possible to develop your own application based on one of the existing libraries

rather than implementing ACME itself from scratch. (These libraries generally do assume the ability to make system and runtime calls to do things like create network connections and files on disk, which might be more OS support than you have available in your environment.)

2 Likes

That’s a good idea. I have the ability to create network connections and read/write files but the functions available to do these things not probably not compatible with existing implementations. I’m using the WolfSSL library and suppose I could write stubs to mimic the functions an ACME library needs if it’s not simpler to modify it instead.

Is there a particular ACME implementation you’d suggest starting with?

I haven't heard of any ACME clients written against WolfSSL. I'd be interested in hearing if you find one!

I don't know what kind of embedded environment you're working in but my naive understanding is that C is the lingua franca of constrained embedded systems. If that's true maybe a good place to start is by looking at the OpenBSD acme-client.

It's a maintained ACME client written in C that supports LibreSSL and lives in the OpenBSD 5.9+ source tree: src/usr.sbin/acme-client/ There's also a more portable implementation but I suspect its less actively maintained: GitHub - kristapsdz/acme-client-portable: portable version of acme-client, a secure ACME client

Edit: One catch however... acme-client is written as an ACME v1 client so unfortunately it doesn't match up to the current draft RFC. That makes it a less appealing place to start unfortunately :frowning: If you are still interested the ACME v1 divergences will probably be useful to read through.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.