go-acme icon indicating copy to clipboard operation
go-acme copied to clipboard
verified publisher icon ericchiang

Is there any particular reason renewing certificates requires the cert URI instead of its serial number?

Open c4milo opened this issue 9 years ago • 6 comments

c4milo avatar Mar 11 '16 21:03 c4milo

When this package was written, I believe that that was the only way to renew a certificate. If there have been updates to ACME/Bolder that allow using the serial number, it would be preferred.

ericchiang avatar Mar 11 '16 21:03 ericchiang

right, I checked Boulder and it seems the path is /acme/cert/<serial number>

c4milo avatar Mar 11 '16 21:03 c4milo

While this may be how blouder works I don't think it's part of the ACME spec. The spec only refers to

If the CA decides to issue a certificate, then the server creates a new certificate resource and returns a URI for it in the Location header field of a 201 (Created) response.

It doesn't specify what the form of that URI is. I'm afraid that implementing this might be relying on an undocumented feature.

ericchiang avatar Mar 11 '16 21:03 ericchiang

oh, I see. So, how are users supposed to renew certificates if it doesn't use an attribute of the certificate? where do they get the URI from?

c4milo avatar Mar 11 '16 23:03 c4milo

It's in the certificate request: https://godoc.org/github.com/ericchiang/letsencrypt#CertificateResponse

Though maybe it's time to implement the proof of possession challenge as it might be an easier way to get a new certificate. Does bolder support this yet?

ericchiang avatar Mar 11 '16 23:03 ericchiang

hm, that's a bummer, I thought you could renew the certificate without having to store more information other than the actual x509 certificate and its private key.

c4milo avatar Mar 11 '16 23:03 c4milo