pebble icon indicating copy to clipboard operation
pebble copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Add "dns-account-01" support from draft-ietf-acme-scoped-dns-challenges

Open sheurich opened this issue 1 year ago • 2 comments

This change implements the dns-account-01 ACME challenge as specified in draft-ietf-acme-scoped-dns-challenges.

The relevant validation label computation is:

"_" || base32(SHA-256(<ACCOUNT_RESOURCE_URL>)[0:10]) || "._acme-" || <SCOPE> || "-challenge"

where SCOPE is one of { host, wildcard }. A SCOPE of { domain } is unimplemented.

This implementation is interoperable with the https://github.com/eggsampler/acme changes in https://github.com/eggsampler/acme/pull/21 and passes the TestWildcardDNSAccount test.

This change also supplies a cursory integration test in https://github.com/fastly/pebble/commit/253e097e0b3c40fd55da39f0648236104f8fdb8e: add eggsampler/acme tests The test is run in a similar manner to Boulder:

./t.sh

Solves https://github.com/letsencrypt/pebble/issues/425.

sheurich avatar Feb 21 '24 12:02 sheurich

@aarongable @jsha this change is ready to begin a review. As some of the fixes are unrelated to the direct problem at hand, and possibly controversial, feel free to excise anything that doesn't fit.

Also note that the method for passing the additional scoping attributes from WFE to VA seems suboptimal and there may be a better fit for how the Pebble code aligns with Boulder. Any feedback in this area would be greatly appreciated.

sheurich avatar Feb 21 '24 12:02 sheurich

Awesome, I'm exciting to do a full review of this! I'm on vacation this week, but will be able to do a full review on Monday (and other folks should be able to review before then). In the mean time, a bunch of CI improvement and fixes have been landed, so let's get this rebased on top of those / get those merged into this branch so it's just the code changes without accompanying infrastructure changes.

aarongable avatar Feb 27 '24 04:02 aarongable

@aarongable it's only the relevant code changes here. The integration tests have been moved to https://github.com/letsencrypt/pebble/pull/444.

sheurich avatar Mar 03 '24 17:03 sheurich

Good points @aaomidi. Other than that the code looks good to me, and we have an earlier approval from @aarongable. I'm going to land this, and we can explore plumbing the KID from the JWT as a separate PR.

jsha avatar Mar 18 '24 19:03 jsha