|
| 1 | +(ns plumbing |
| 2 | + (:require |
| 3 | + [ol.clave.impl.commands :as cmd] |
| 4 | + [ol.clave.account :as account] |
| 5 | + [ol.clave.order :as order] |
| 6 | + [ol.clave.challenge :as challenge] |
| 7 | + [ol.clave.csr :as csr])) |
| 8 | + |
| 9 | +(let [;; prepare a new account by generating a keypair and creating a local map of account data |
| 10 | + account-key (account/generate-keypair) |
| 11 | + account (account/create "mailto:test@example.com" true) |
| 12 | + |
| 13 | + ;; create a new session, this opaque handle must be passed to every command |
| 14 | + ;; they will always return a new session handle that you must use |
| 15 | + ;; you must never re-use a session handle |
| 16 | + [session _] (cmd/create-session "https://localhost:14000/dir" |
| 17 | + {:http-client {:ssl-context {:trust-store-pass "changeit" |
| 18 | + :trust-store "test/fixtures/pebble-truststore.p12"}} |
| 19 | + :account-key account-key}) |
| 20 | + |
| 21 | + ;; register a new account with the server |
| 22 | + [session account] (cmd/new-account session account) |
| 23 | + |
| 24 | + ;; save the account at this stage for use later during renewals |
| 25 | + _ (spit "./simple-account.edn" (account/serialize account account-key)) |
| 26 | + |
| 27 | + ;; first step in getting a cert is to prepare the order data |
| 28 | + identifiers (map order/create-identifier [{:type "dns" :value "example.com"}]) |
| 29 | + order-request (order/create identifiers) |
| 30 | + |
| 31 | + ;; then submit the order to the server |
| 32 | + [session order] (cmd/new-order session order-request) |
| 33 | + |
| 34 | + ;; each identifier (see above) will be associated with an authorization record |
| 35 | + ;; by solving the authorization challenges you will make the authorization's status |
| 36 | + ;; "valid" |
| 37 | + authz-urls (order/authorizations order) |
| 38 | + |
| 39 | + ;; solve each authorization by completing its challenges |
| 40 | + [session order] (loop [session session |
| 41 | + authz-urls authz-urls] |
| 42 | + (if-let [authz-url (first authz-urls)] |
| 43 | + (let [;; fetch the authorization details |
| 44 | + [session authz] (cmd/get-authorization session authz-url) |
| 45 | + |
| 46 | + ;; find an http-01 challenge to solve |
| 47 | + http-challenge (challenge/find-by-type authz "http-01") |
| 48 | + |
| 49 | + ;; compute the key authorization for this challenge |
| 50 | + key-auth (challenge/key-authorization http-challenge account-key) |
| 51 | + |
| 52 | + ;; in a real scenario, you would now provision the challenge |
| 53 | + ;; response at the required HTTP endpoint: |
| 54 | + ;; http://example.com/.well-known/acme-challenge/<token> |
| 55 | + ;; for this example we just pretend it's done |
| 56 | + _ (println (str "Provision challenge at: " |
| 57 | + "http://" (challenge/identifier authz) |
| 58 | + "/.well-known/acme-challenge/" |
| 59 | + (challenge/token http-challenge))) |
| 60 | + _ (println (str "Challenge content: " key-auth)) |
| 61 | + |
| 62 | + ;; notify the server that the challenge is ready to be validated |
| 63 | + [session _] (cmd/accept-challenge session http-challenge) |
| 64 | + |
| 65 | + ;; poll the authorization until it becomes valid |
| 66 | + [session authz] (cmd/poll-authorization session authz-url {:max-attempts 10 |
| 67 | + :delay-ms 1000})] |
| 68 | + (recur session (rest authz-urls))) |
| 69 | + [session order])) |
| 70 | + |
| 71 | + ;; once all authorizations are valid, we need to finalize the order |
| 72 | + ;; by submitting a certificate signing request (CSR) |
| 73 | + |
| 74 | + ;; first generate a certificate key pair |
| 75 | + cert-key (csr/generate-keypair) |
| 76 | + |
| 77 | + ;; create the CSR for our domains |
| 78 | + domains (map :value identifiers) |
| 79 | + csr-data (csr/create cert-key domains) |
| 80 | + |
| 81 | + ;; finalize the order by submitting the CSR |
| 82 | + [session order] (cmd/finalize-order session order csr-data) |
| 83 | + |
| 84 | + ;; poll the order until it's status becomes "valid" and certificate is ready |
| 85 | + [session order] (cmd/poll-order session (order/url order) {:max-attempts 10 |
| 86 | + :delay-ms 1000}) |
| 87 | + |
| 88 | + ;; download the certificate chain |
| 89 | + [session cert-chain] (cmd/get-certificate session (order/certificate-url order)) |
| 90 | + |
| 91 | + ;; save the certificate and private key |
| 92 | + _ (spit "./example.com.crt" cert-chain) |
| 93 | + _ (spit "./example.com.key" (csr/serialize-key cert-key))] |
| 94 | + |
| 95 | + (println "Certificate issued successfully!") |
| 96 | + (println "Certificate saved to: ./example.com.crt") |
| 97 | + (println "Private key saved to: ./example.com.key")) |
0 commit comments