Acme::Client

acme-client is a client implementation of the ACME protocol in Ruby.

You can find the server reference implementation for ACME server at here and also the a reference client written in python.

ACME is part of the Letsencrypt project, that are working hard at encrypting all the things.

Usage

# We're going to need a private key.
private_key = OpenSSL::PKey::RSA.new(2048)

# We need an ACME server to talk to, see github.com/letsencrypt/boulder
endpoint = 'http://letsencrypt.com/'

# Initialize the client
client = Acme::Client.new(private_key: private_key, endpoint: endpoint)

# If the private key is not known to the server we need to register for the first time.
registration = client.register(contact: 'mailto:unixcharles@gmail.com')

# You'll need to agree the term (that's up the to the server to require it or not but boulder does by default)
registration.agree_terms

# Let's try to optain a certificate for yourdomain.com
authorization = client.authorize(domain: 'yourdomain.com')

# We need to prove that we control the domain using one of the challanges method
simple_http = authorization.simple_http

# The SimpleHTTP method will require you to response to an HTTP request.

# You can retreive the expected path for the file.
simple_http.filename # => ".well-known/acme-challenge/:some_token"

# You can retrieve the body of the expected response
simple_http.file_content # => 'string of JWS signed json' 

# You can send no Content-Type at all but if you send one it has to be 'application/jose+json'
simple_http.content_type

# Once you are ready to serve the confirmation request you can proceed.
simple_http.request_verification # => true
simple_http.verify_status # => 'pending'

# Wait a bit for the server to make the request, or really just blink, should be fast.
sleep(1)

simple_http.verify_status # => 'pending'

# We're going to need a CSR, let do this real quick with Ruby+OpenSSL.
request = OpenSSL::X509::Request.new
request.subject = OpenSSL::X509::Name.new([
  ['CN', common_name, OpenSSL::ASN1::UTF8STRING]
])

request.public_key = private_key.public_key
request.sign(private_key, OpenSSL::Digest::SHA256.new)

# You can request a new certificate
client.new_certificate(csr) # => #<OpenSSL::X509::Certificate ....>

Not implemented

• Recovery methods are not implemented.
• SimpleHTTP is the only challenge method implemented

Development

All the tests use VCR to mock the interaction with the server but if you need to record new interation against the server simply clone boulder and run it normally with ./start.py.

Pull request?

Yes.

License

MIT License