This is a feature request.
I would like to use a stateless mode as this saves me from configuring a proxy redirect and firewall settings. It also sounds safer to skip opening additional ports if not needed.
Other acme clients support this already (like https://github.com/hlandau/acme)
Nginx would be statically configured to respond to the challenge. The account_thumbprint would need to be exportable by acme.sh
http {
server {
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
default_type text/plain;
return 200 "$1.ACCOUNT_THUMBPRINT";
}
}
}
The calculation of the thumbprint is already there, it would just need to be exported.
https://github.com/Neilpang/acme.sh/blob/master/acme.sh#L2782
Additional implementation of a "stateless" mode also sounds not too difficult. Code should be similar to standalone, just skipping opening the webserver.
Please consider adding support for it.
I don't quite understand the use case for this.
Can you please explain more ?
Sure.
When you ask the letsencrypt server for a validation it will call a a specific URL or your server and expects a specific response.
eg it requests /.well-known/acme-challenge/ABCDEF and expects a specific return ABCDEF.thumbprint. Thumbprint is static for your account.
acme.sh creates this return in the sections pointed to above and serves it by opening a server listening on port 80.
Noticed that my link pointed to master, which make the line numbers to change. Sorry if this caused confusion.
https://github.com/Neilpang/acme.sh/blob/dba26c3240efaa6cdd9c6f163f8294242c2bdbfd/acme.sh#L2827
The return keyauthorization="$token.$thumbprint" consists of a random string chosen by LE and a static thumbprint.
Instead of configuring nginx to forward a port and acme.sh opening a server this task could be done by nginx itself. The snippet above configures a responder to LE requests to answer the challenge with the right combination of token and thumbprint.
Advantage is that it makes opening a server port unneeded thus helping in setups where port 80 is not available and redirects cause extra work with firewall setups.
Good catch. Understood.
I just added the account thumbprint: https://github.com/Neilpang/acme.sh/commit/339a8ad61041591d6cc2bb3af77ed855e13e735d
acme.sh --register-account
You will get the account thumbprint.
As a temp workaround, For now you can use as --standalone mode. the dummy embedded nc server doesn't hurt at all. The configured nginx server could work well with the thumbprint.
I'm adding a new mode --stateless, just wait.
The --stateless mode is checked in.
I also wrote a doc:
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
Please take a look, please feel free to comment on the doc.
Thanks.
interesting technique
as good as DNS01
Most helpful comment
The
--statelessmode is checked in.I also wrote a doc:
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
Please take a look, please feel free to comment on the doc.
Thanks.