ACME: certificate issue and renewal implementation. #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bavshin-f5
force-pushed
the
bavshin/acme-client
branch
from
57a7bd4 to
d5ed1d0
Compare
avahahn
requested changes
Aug 6, 2025
bavshin-f5
force-pushed
the
bavshin/acme-client
branch
6 times, most recently
from
d5e33b6 to
33dd5d6
Compare
bavshin-f5
force-pushed
the
bavshin/acme-client
branch
2 times, most recently
from
8876321 to
2e1a585
Compare
bavshin-f5
force-pushed
the
bavshin/acme-client
branch
2 times, most recently
from
d867989 to
119b2a6
Compare
This change implements a subset of JOSE specifications sufficient for RFC8555: JSON Web Signature with RS256, ES256, ES384 and ES512 algorithms (RFC7515, RFC7518) and JSON Web Key Thumbprint (RFC7638).
The client is using NGINX connection infrastructure with async wrappers, but the message parser is currently provided by "hyper". There are several shortcomings in this approach, most importantly lack of support for pre-resolved upstreams, keepalive or fine tuning of connection buffering and timeouts. There is a plan to provide a better HTTP client implementation in one of the future releases of ngx-rust and use it as a replacement.
Co-authored-by: Pat Hickey <[email protected]>
bavshin-f5
force-pushed
the
bavshin/acme-client
branch
from
119b2a6 to
7044037
Compare
bavshin-f5
added a commit
that referenced
this pull request
Aug 9, 2025
Starting from v2.7.0, pebble ignores certificateValidityPeriod and uses the validityPeriod from the default profie instead. The profile was removed during the review of #16, because I assumed it was redundant and the tests (with pebble v2.6.0) confirmed that.
bavshin-f5
added a commit
that referenced
this pull request
Aug 10, 2025
Starting from v2.7.0, pebble ignores certificateValidityPeriod and uses the validityPeriod from the default profie instead. The profile was removed during the review of #16, because I assumed it was redundant and the tests (with pebble v2.6.0) confirmed that.
bavshin-f5
added a commit
that referenced
this pull request
Aug 11, 2025
Starting from v2.7.0, pebble ignores certificateValidityPeriod and uses the validityPeriod from the default profie instead. The profile was removed during the review of #16, because I assumed it was redundant and the tests (with pebble v2.6.0) confirmed that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR gets us a working ACME client implementation, tested with pebble, boulder (deployed on Let's Encrypt staging and production), and Step CA. Further compatibility testing is blocked on a lack of EAB implementation (#6).
The error handling in acme.rs is not finalized and may receive some final touches this week. The rest should be ready for review.