-
-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server does not support auto-renewal #165
Comments
I think this behavior would be fatal. You say: "CA, please give me an auto-renewing certificate." The only reasonable reaction is to throw an exception. If this conflict would be ignored, you would get a certificate that you would expect to auto-renew, but instead it would just expire in a couple of months. |
The documentation currently reads:
To me, this means that if the feature is not supported by the CA then nothing will happen. There is no indication in the Javadoc that an error will be thrown if this is not the case. I was/am working under the assumption that end-users will run acme4j in a background thread regardless of the acme server implementation. So long as they have acme4j running in the background, they shouldn't care whether the server uses auto-renewal or not... it'll renew the certificate when and if it needs to. That said, the way that the method is currently specified (forbidding the use of I think either interpretation is fine, but the documentation should probably be updated accordingly. Thank you in advance. |
It is a builder, and as such, it will first collect your parameters. Validation takes place as soon as
This is not what acme4j is intended to be. It is meant to help with the ACME protocol, which is already a lot of work in itself (it's more than just having an client auto-generated by swagger or so). I intentionally decided against writing a service that does all the work of certificate creation and renewal. For that, I would need a framework (e.g. Spring) and some kind of persistence layer. As this project is a spare-time-one-man-show (and not something that is funded by any of the CAs involved), I really lack the time to do that. So... If the CA supports auto-renewal, you can ask it to create an auto-renewing certificate, and you will get a location URL of a cert that is automatically updated by the CA. If the CA does not support it, you have to go through the renewal process on your own.
It is explicitly specified in RFC 8739 that "the optional notBefore and notAfter fields [...] MUST NOT be present in a STAR Order. If they are included, the server MUST return an error with status code 400 (Bad Request) and type malformedRequest." |
Fair enough. So the only remaining point of this issue would be to improve the documentation. It currently says that some action will take place if the server supports the capability. I would expect it to add that if the capability is not supported, it will result in the failure of the |
Version 3.4.0
Per
Order.autoRenewal()
's Javadoc, it enables auto renewal if supported by the CA. Yet, when I invoke it, I get this exception:Expected behavior: If the server does not support auto-renewal then request a normal certificate.
Correct me if I'm wrong but I don't think that users care what mechanism the server uses to renew the certificate (manual or automatic) so long as it gets done.
The text was updated successfully, but these errors were encountered: