Acme.sh: stateless mode, command to output thumbprint

Created on 3 Feb 2017  路  5Comments  路  Source: acmesh-official/acme.sh

This is a feature request.

I would like to use a stateless mode as this saves me from configuring a proxy redirect and firewall settings. It also sounds safer to skip opening additional ports if not needed.
Other acme clients support this already (like https://github.com/hlandau/acme)

Nginx would be statically configured to respond to the challenge. The account_thumbprint would need to be exportable by acme.sh

http {
  server {
    location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
      default_type text/plain;
      return 200 "$1.ACCOUNT_THUMBPRINT";
    }
  }
}

The calculation of the thumbprint is already there, it would just need to be exported.
https://github.com/Neilpang/acme.sh/blob/master/acme.sh#L2782

Additional implementation of a "stateless" mode also sounds not too difficult. Code should be similar to standalone, just skipping opening the webserver.

Please consider adding support for it.

picture stephankn
👍1

Most helpful comment

The --stateless mode is checked in.

I also wrote a doc:
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode

Please take a look, please feel free to comment on the doc.

Thanks.

picture Neilpang on 6 Feb 2017
👍3

All 5 comments

I don't quite understand the use case for this.
Can you please explain more ?

Neilpang picture Neilpang on 5 Feb 2017

Sure.

When you ask the letsencrypt server for a validation it will call a a specific URL or your server and expects a specific response.

eg it requests /.well-known/acme-challenge/ABCDEF and expects a specific return ABCDEF.thumbprint. Thumbprint is static for your account.

acme.sh creates this return in the sections pointed to above and serves it by opening a server listening on port 80.

Noticed that my link pointed to master, which make the line numbers to change. Sorry if this caused confusion.
https://github.com/Neilpang/acme.sh/blob/dba26c3240efaa6cdd9c6f163f8294242c2bdbfd/acme.sh#L2827

The return keyauthorization="$token.$thumbprint" consists of a random string chosen by LE and a static thumbprint.

Instead of configuring nginx to forward a port and acme.sh opening a server this task could be done by nginx itself. The snippet above configures a responder to LE requests to answer the challenge with the right combination of token and thumbprint.

Advantage is that it makes opening a server port unneeded thus helping in setups where port 80 is not available and redirects cause extra work with firewall setups.

stephankn picture stephankn on 6 Feb 2017

Good catch. Understood.

I just added the account thumbprint: https://github.com/Neilpang/acme.sh/commit/339a8ad61041591d6cc2bb3af77ed855e13e735d

acme.sh --register-account

You will get the account thumbprint.

As a temp workaround, For now you can use as --standalone mode. the dummy embedded nc server doesn't hurt at all. The configured nginx server could work well with the thumbprint.

I'm adding a new mode --stateless, just wait.

Neilpang picture Neilpang on 6 Feb 2017

The --stateless mode is checked in.

I also wrote a doc:
https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode

Please take a look, please feel free to comment on the doc.

Thanks.

Neilpang picture Neilpang on 6 Feb 2017
👍3

interesting technique
as good as DNS01

FernandoMiguel picture FernandoMiguel on 6 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

centminmod picture centminmod  路  4Comments
hxx-fetch picture hxx-fetch  路  4Comments
MarcusWolschon picture MarcusWolschon  路  3Comments
vitaly80 picture vitaly80  路  4Comments
xiagw picture xiagw  路  3Comments