On 2018/01/15 19:46, Florian Obser wrote: > On Mon, Jan 15, 2018 at 06:40:01PM +0100, Landry Breuil wrote: > > On Mon, Jan 15, 2018 at 05:11:24PM +0000, Stuart Henderson wrote: > > > On 2018/01/15 12:16, Stuart Henderson wrote: > > > > I generally prefer to use acme-client than the python or bash+openssl(1) > > > > monstrosities to fetch SSL certificates, but I have some systems where > > > > I need to use the DNS-01 challenge type which was removed from the > > > > version in base. > > IIRC we didn't remove it, we imported before Kristaps' implemented > dns-01. Then I looked how he implemented it, he mumbled something > about popen and I ran away screaming...
Ahh - I thought it was there because I saw -t in getopt, but it turns out that was used for something else previously. > > > > Any objections or OKs to adding a port for Kristaps' original version > > > > (attached)? > > > > > > > > > > > > > > > > Hrrmmmm. Now I've tried to actually run dns-01 from a shell script rather > > > than faking it with copy-and-paste, I'm not sure if it's actually going to > > > be all that useful... > > > > > > The mechanism requires > > > > > > 1. read from acme-client's stdout. > > > 2. run a command based on that output. > > > 3. when the command has run, echo the line back to acme-client's stdin. > > > > > > (repeat until EOF from acme-client.) > > ... with good reason as you discovered. > > > > > > > I've tried with "eacme-client | (while read... )", various ways with > > > fifos, and coroutines, but it all blocks somewhere. Now I started > > > reading the expect(1) manual to try and do it that way which is never > > > a good sign... > > While what Kristaps' implemented looked doable in theory, I thought it > would be very difficult to add to cronjobs or the like. It's quite a clever way to avoid a bunch of extra complication to spawn a process from a safe place within acme-client. But it's painful to figure out how to use it. > > Can't acme-client just spawn a user-configurable command and communicate > > with it via fifos/stdin/stdout ? Fwiw, for dns-01 i use acme.sh which > > works, but i agree it's not pretty.... > > The way Benno and me wanted to implement it (but ENOTIME) was that you call > acme-client multiple times. > 1st call: give me the things that I need to put into DNS > 2nd call: I put things into DNS, go ahead, do your thing. > > I have not looked at the protocol though. Maybe you need more calls? It looks like you can have up to 300 pending auths with letsencrypt's rate limits on the production CA, so I think it should be possible to use 2 calls up to that limit (as long as you don't have auths get interrupted). That wouldn't be particularly restrictive for typical single/small users, but hosting providers with a lot of client domains to renew at once could bump into it. Another question is which is easier to do: keeping state to separate things into 2 calls, or reworking things so a separate auth process can be spawned from a safe place.
