Skip to content

Replace simp_le with acme.sh #719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 55 commits into from
Nov 30, 2020
Merged

Replace simp_le with acme.sh #719

merged 55 commits into from
Nov 30, 2020

Conversation

buchdag
Copy link
Member

@buchdag buchdag commented Nov 30, 2020

This PR replaces the ACME client used inside the container (simp_le) by acme.sh.

This is a pretty significant change and will mark the second major version of this project (v2.0.0 release).

Changes and design choices where discussed in #510

The most important, not backward compatible change is that acme.sh relies on configuration files to work (unlike simp_le). This means that a Docker volume now has to be mounted to /etc/acme.sh in order to persist acme.sh configuration.

acme.sh also handle the ACME accounts differently than simp_le and the following choices were made with @pini-gh:

  • Use one acme.sh configuration directory (--config-home) per account email address.

  • Each acme.sh configuration directory can hold several accounts on different ACME service providers. But only one per service provider.

  • The default configuration directory holds the configuration for empty account email address.

  • When in Let's Encrypt staging mode (LETSENCRYPT_TEST=true):

    1. The container will use the special purpose staging configuration directory.
    2. The directory URI is forced to The Let's Encrypt v2 staging one (ACME_CA_URI is ignored)
    3. The account email address is forced empty (DEFAULT_EMAIL and LETSENCRYPT_EMAIL are ignored)

This PR also update the base Alpine image to 3.12, enable ECDSA private keys (close #376), fix #638 and support the --preferred-chain option of acme.sh (close #695). The tests were reworked to rely as little as possible on pre-generated expected output, which should make writing new tests a bit easier.

Finally, this PR makes letsencrypt-nginx-proxy-companion compatible with Zero SSL using EAB, a Zero SSL developer API key or a simple email address.

Thank to @pini-gh for his contributions to this PR and to @henriquebastos for the intermediary image size reduction I borrowed from his fork.

buchdag and others added 30 commits November 27, 2020 14:44
@buchdag
Revert "Merge pull request #485 from Greek64/PR"
96c9cbf 
This feature is not supported in this form by acme.sh

This reverts commit 7dd2cd6, reversing
changes made to 6a90d53.
@buchdag
Change ACME client to acme.sh
c821d80
@buchdag
Extend timeout for restart test
52b7a51
@buchdag
Update doc
c27e66e
@buchdag
Shell linting
984235f
@buchdag
Fix wrong container names on Travis
e63b227
@buchdag
Test if symlinks get created on RENEW_SKIP
b07dbc5
@pini-gh @buchdag
Links should be created on RENEW_SKIP as well
f66c1d5
@pini-gh @buchdag
Fix typo in Dockerfile comment
fe01d76
@pini-gh @buchdag
Remove unused function from entrypoint
4504e3b
@buchdag
Refactor update_certs() into two functions
7cf0a52
@pini-gh @buchdag
Use default config for empty DEFAULT_EMAIL only
3b6d87e
@buchdag
Add test for ACME accounts handling
562d7f1
@pini-gh @buchdag
Enable proxied containers ACME email override
3b1e1ba
@buchdag
Update acme_accounts test for LETSENCRYPT_EMAIL
a3f32e1
@buchdag
Update docs and comments
0c16513
@pini-gh @buchdag
Add doc on ACME accounts handling
e5825d6
@buchdag
Code styling
aa62af0
@pini-gh @buchdag
Use email-less staging conf for test certificates
195b19d
@buchdag
Use acme.sh --register-account in the service loop
fde5533
@buchdag
Linefeed typo
3e4b0a4
@buchdag
Reload nginx after creating the default cert
cfc2746
@buchdag
Better debugging of acme.sh call parameters
e2d05af
@buchdag
Fix private key reuse
14a019f
@buchdag
Backward compatibility with REUSE_PRIVATE_KEYS
54e73a9
@buchdag
Upgrade image to alpine 3.12
3f2c852
@buchdag
netcat is no longer required by acme.sh
fc66774
@henriquebastos @buchdag
Reduce intermediary image size
d3dcce1
@buchdag
Update maintainer label
9e6655c
@buchdag
Store and use image version based on git describe
8052f04
buchdag added 21 commits November 27, 2020 14:46
@buchdag
More robust ACME account registration
d36dea9
@buchdag
Use acme.sh maximum debug level
f8a24a6
@buchdag
Test suite refactoring
92cf9ff 
As much as possible, output to stdout on error condition only
in order to reduce the need for expected-std-out.txt
@buchdag
Update Boulder to 2020-10-19 release
b2e85e1
@buchdag
Do not attempt to read inexistant files in tests
a5b3b0a
@buchdag
Shell linting
caf79a0
@buchdag
Test for private keys types
3db820a
@buchdag
Add support for Zero SSL API key
e9aa88f
@buchdag
Go template formatting adjustments
d119a7e
@buchdag
Support for preferred chain
1966e52
@buchdag
User correct DEBUG level in tests
ce78b18
@buchdag
Comment clarification in single domain test
8a57f95
@buchdag
Add Zero SSL documentation
26f6115
@buchdag
Cleaner use of apk in install_acme.sh
c2ca8ef
@buchdag
Silence detached had warning on docker-gen build
10e8662
@buchdag
Add ACMESH_VERSION build arg to the Dockerfile
7a787c7
@buchdag
Warn that v2.0.0 is not 100% backward compatible
d4c4c32
@buchdag
Fix docker_api test expecting wrong signal
2cece86
@buchdag
Fix tests self cleanup
f069d50
@buchdag
Fix the container_restart test
5cfe0cb 
This might be a race condition
@buchdag
Small fixes on symlinks test
65520ff
@buchdag buchdag added the kind/feature-request Issue requesting a new feature label Nov 30, 2020
@buchdag buchdag self-assigned this Nov 30, 2020
@buchdag buchdag merged commit 849c676 into master Nov 30, 2020
@buchdag buchdag mentioned this pull request Nov 30, 2020
Closed
@buchdag buchdag deleted the acme.sh branch November 30, 2020 19:04
@buchdag buchdag mentioned this pull request Dec 2, 2020
Closed
@buchdag buchdag mentioned this pull request Dec 21, 2020
Merged
@almereyda almereyda mentioned this pull request Dec 22, 2020
Closed
@polarathene polarathene mentioned this pull request Sep 24, 2021
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@buchdag buchdag

Labels
kind/feature-request Issue requesting a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support --preferred-chain certbot option Missing email Add support ECDSA certificate generation
3 participants
@buchdag @pini-gh @henriquebastos