IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Felix Fontein <felix@fontein.de> Fri, 31 August 2018 21:58 UTC

Return-Path: <felix@fontein.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 473AA130E6A for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 14:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=fontein.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UY7pLCZpbTYf for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 14:57:58 -0700 (PDT)
Received: from fontein.de (fontein.de [IPv6:2001:1680:101:2a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33F6B12785F for <acme@ietf.org>; Fri, 31 Aug 2018 14:57:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fontein.de; s=20160508; h=References:In-Reply-To:Subject:To:From:Date:Cc; bh=pigwuIR/r6xwl3A+Ww7wGSXytM2pULu1DD38dhdvpOc=; b=v+tlpawOjm41sv7PkYiYnAhixr vOR5sSGzGASqnAdC4NTua7arFT2hvUIFQXOuMqmQhAtNcVcLVBxjbmUuXVUZUj5MU6/iTb/j13fOF 4rhmaW1Y9KmcpmOZ5ApsHqmpsSTUni3Xqkqaa7KUqPme/DgqAkIIPkkHvNb/XpvtpU4bfuz8vsgOw HcUzPnnpobx7AbTfPWQ0u4u5EUuSIcT+d4v3g+0Lyx8Pq5mMvjnQ/UhoDURl90YR0LUgBajHfnBxi 7V2k4Il/sTy5AbEpf67IfoMZ184/LhLNl6N4JxzOP95hqC66g5+NNs4r5RaUNXahY6Jmx9VNiGZcT Vbz6rAeQzP1ryaKlUeBkXvpmmddghx25wL9Ji4zOBPvqsM0iRNiYqeZJWTvaP7XkeemkPswXV0/Lf 5PYDjNe7eoSRD+SiyfOdvDXelVZg9a7yM/pBcP2f+IOu5sL2+75xzYwLPX75ust2cJ/vsxBe7wjtY 8UFyWZ3z6FwkSZodsutK+mto4Nab4LXAjERKcrh6go2+QUgV052C17i2B6Rtlo4BN0M4mNvHXU+lJ LFsrbP0yKbaly+yRJc+EhG0Pj6OofVDjouUnz4UxxI7rd1W3g9uNUvHHU5fZUSo35EVxB5jFQ11LT DFh2i/RE+1FHX69agu7ivu8a3kBMR2JWoPwrGzayI=;
Received: from 149.235.197.178.dynamic.wless.lssmb00p-cgnat.res.cust.swisscom.ch ([178.197.235.149] helo=rovaniemi) by fontein.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <felix@fontein.de>) id 1fvrQM-0003WS-2b for acme@ietf.org; Fri, 31 Aug 2018 23:57:54 +0200
Date: Fri, 31 Aug 2018 23:57:41 +0200
From: Felix Fontein <felix@fontein.de>
To: acme@ietf.org
Message-ID: <20180831235741.5333d4e9@rovaniemi>
In-Reply-To: <CAL02cgQ5PwiKngRSsYmMCVbRd5MExbo3G4C6DhA5jMg9GAcXDg@mail.gmail.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgRD=UgsaDeWN9hy2YXN=CLLQpt+zgaZKPTqDpoiMi0hqw@mail.gmail.com> <863A4A5E-718A-4C29-AE82-097C70BE75B6@akamai.com> <CAL02cgQ=FjSLYuzKMnkbVHqPaU7A1sc5xSCk6dWa67=1a3b3vw@mail.gmail.com> <CAKnbcLhiGSKqmd5Hq3fn3YOwDCQfDa7XW0YuzK4FgmxAKZ+XWA@mail.gmail.com> <CAL02cgQ5PwiKngRSsYmMCVbRd5MExbo3G4C6DhA5jMg9GAcXDg@mail.gmail.com>
X-Mailer: Claws Mail 3.17.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QaNXsGXgIUhsyDROAxwNYwsSizg>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 21:58:01 -0000

Hi Richard,

> I was able upgrade the lego client in a pretty short patch (5 files
> changed, 26 insertions(+), 16 deletions(-)) [0].  It interoperates
> with Daniel's branch of pebble.

you were faster :) I've adjusted Ansible's acme_certificate module to
also work with Daniel's branch in
https://github.com/ansible/ansible/pull/44988

Most of the changes are general refactoring to make use of a single URL
fetch method which has access to the ACME account data; the main part
related to POST-as-GET is only a few lines.

Cheers,
Felix



> 
> --Richard
> 
> [1] https://github.com/bifurcation/lego/pull/1
> 
> 
> 
> On Fri, Aug 31, 2018 at 2:56 PM Daniel McCarney <cpu@letsencrypt.org>
> wrote:
> 
> > I think its an anti-pattern to standardize protocol features that
> > haven't been implemented by anyone so here's a PR[0] for the Pebble
> > ACME server that implements Richard's proposal[1] to establish
> > viability. The proposal seems OK to me given the
> > trade-offs/alternatives on the table.
> >
> > I would encourage other ACME client/server developers to try their
> > hand at implementing the changes from [1] as well. I've tested my
> > PR with hand-rolled requests but not as part of an automated
> > issuance process with a "real" ACME client. Speak now or forever
> > hold your bugs.
> >
> > [0] - https://github.com/letsencrypt/pebble/pull/162
> > [1] - https://github.com/ietf-wg-acme/acme/pull/445/files
> >
> > On Fri, Aug 31, 2018 at 1:21 PM, Richard Barnes <rlb@ipv.sx> wrote:
> >  
> >> No, if a server receives a GET request for a resource other than
> >> those specified, then it MUST return 405.  But please check out
> >> the PR and see if it's clear there.
> >>
> >> On Fri, Aug 31, 2018 at 1:14 PM Salz, Rich <rsalz@akamai.com>
> >> wrote: 
> >>>
> >>>    - * Servers MUST return a 405 if they get a GET for a resource
> >>> other than directory/newNonce/certificate.
> >>>
> >>>
> >>>
> >>> They means client? Or there’s a word missing, and “they get a” is
> >>> “they do not support”

v2.23.0 | Report a Bug | By Email