haproxy-acme-validation-plugin icon indicating copy to clipboard operation
haproxy-acme-validation-plugin copied to clipboard
verified publisher icon janeczku

Wildcard and ACME v2 support?

Open jamshid opened this issue 7 years ago • 6 comments

Thanks for this it's been working great for past couple of years but I'm wanting to get a wildcard certificate and letsencrypt FAQ says that requires ACME v2 api. This tool uses v1 api.

Are there plans to upgrade this tool to v2 or should I switch to https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ ?

jamshid avatar Jul 30 '18 02:07 jamshid

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

rmbolger avatar Jul 30 '18 05:07 rmbolger

There is a timeline now. :-)

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

mdeneen avatar Jan 17 '20 13:01 mdeneen

Unfortunately, an ACME v2 version of the plugin won't actually enable you to get a wildcard certificate because wildcard certs require using the DNS challenge rather than the HTTP challenge. From the community forums:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

So the only thing migrating this ACME validation plugin to v2 does is ensure it continues to work if/when Let's Encrypt turns off v1 support. As far as I know, there's no established timeline for that yet particularly considering the v2 spec is still in draft status.

@janeczku With LE policy not to let ACME-v01 for the new authorizations, it would be nice if this plugin gets updated to accommodate ACME-v02 as ACME-01 gets deprecated in November 2020.

Cheers, and stay safe,

zenny avatar Aug 20 '20 20:08 zenny

Zenny,

It looks like HAProxy has integrated their own ACME v2 support: https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/

-M

mdeneen avatar Aug 22 '20 18:08 mdeneen

Hmm that blog article was deleted, here is a snapshot: https://web.archive.org/web/20180623203616/https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ It seems to reference this github project but that plugin might not be working with latest letsencrypt (https://github.com/haproxytech/haproxy-lua-acme/issues/5) ? I guess ACME v2 really was a draft and it went through late changes. https://github.com/haproxytech/haproxy-lua-acme

jamshid avatar May 25 '21 20:05 jamshid

I'm using acme-http01-webroot.lua with certbot. The http-01 challenge is still supported in ACME v2 so I would assume this project would continue working.

Did I miss something?

ryansch avatar May 26 '21 21:05 ryansch