-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: verify ACME challenges and complete order #164
Conversation
Can you change the title of the pr to something more descriptive? |
Sure, sorry, my bad |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great. Your PR description makes it sound like you're missing files in this change?
One question about a line in the docs I want clarified.
@humphd you mean this?
that part is here: I'm reaching into the acme's default client (an instantiated axios), and overwriting it's https client with the one that does not require SSL signature to match. This is officially supported by both |
It was you saying "Alters the code to use the Pebble docker container's mock let's encrypt server in development and testing" which made me think you had altered other files. While I'm thinking of this, do you want to delete the CA .pem file I added before, since we won't need it now? |
sure! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have spent a while looking at this and at the node-acme and rfc docs so that I could better understand it because I haven't really worked with this before. That being said the ideas in this code were evident even before that because it is well commented and written already, I went and read up again on the whole flow however because I am a noob.
So in this PR you did exactly what you set out to do. You added to the challengeBundle so you could use properties from AcmeDnsChallenge (and further the ChallengeAbstract interface), you used those attributes to check that all challenges pass and if not (I am not clear here but I think) you begin async retry on pending and invalid ones, and once order status is ready the completeOrder method will finalize the order and get the certificate.
You have also changed to a diff axios client that doesnt require ssl for ease of testing. David already mentioned the directoryUrl and I'm sure as he mentioned you already know.
I really have barely read up on this stuff (maybe 1hr and change) and can kind of follow along with the entirety of this lets-encrypt server you have written so I have nothing more to add, it's really good.
Hi @sfrunza13, Thanks for the kind words It is usually a good practice to build stuff layer to layer, so this class only focuses on communicating with Let's Encrypt. Stages:
Outcomes:
So I made this code with the above in mind for example, if step 3 finds it that a challenge is still pending, it will simply return false, indicating a Defer, but if the order is in an incorrect state (the whole order failed), there is no way to continue, so it will throw an exception. We will be able to handle / catch these in the queue worker, and depending of the above three outcomes, we can decide on what to do This way the actual certificate generation logic, and the proccess management of it is completely separate, helps to separate the responsibilities and create a cleaner, more readable code. |
@dadolhay seems like the start of a great blog post <hint /> :) |
@humphd |
This PR:
Pebble docker container
's mock let's encrypt server in development and testingnode-acme-client
communicates with the developmentpebble
server (no need to inject extra CA into node)state
verifyChallenges
instance method that asks the ACME provider to complete each challengecompleteOrder
instance method that finalizes the order and retreives the certificate after all challenges have been completedWith these additional features, I successfully completed an order and obtained a multi-part certificate from the mock server
Closes #21