Merge branch 'master' of github.com:unixcharles/acme-client into merg…

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.0', '3.1', '3.2', truffleruby]
+        faraday-version: ['~> 1.10', '~> 2.9']
+    env:
+      FARADAY_VERSION: ${{ matrix.faraday-version }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake spec

CHANGELOG.md

@@ -1,3 +1,59 @@
+## `2.0.17`
+
+* Fix bug where depending on call order `jws` get generated with the wrong `kid`
+
+## `2.0.16`
+
+* Refactor Directory
+* Fix an issue where the client would crash when ACME provider return nonce for directory endpoint
+
+## `2.0.15`
+
+* Also pass connection_options to Faraday for Client#get_nonce
+
+
+## `2.0.14`
+
+* Fix Faraday HTTP exceptions leaking out, always raise `Acme::Client::Error` instead
+
+## `2.0.13`
+
+* Add support for External Account Binding
+
+## `2.0.12`
+
+* Update test matrix to current Ruby versions (2.7 to 3.2)
+* Support for Faraday retry 2.x
+
+## `2.0.11`
+
+* Add support for error code `AlreadyRevoked` and `BadPublicKey`
+
+## `2.0.10`
+
+* Support for Faraday 1.0 / 2.0
+
+## `2.0.9`
+
+* Support for Ruby 3.0 and Faraday 0.17.x
+* Raise when directory is rate limited
+
+## `2.0.8`
+
+* Add support for the keyChange endpoint
+
+https://tools.ietf.org/html/rfc8555#section-7.3.5
+
+
+## `2.0.7`
+
+* Add support for alternate certificate chain
+* Change `Link` headers parsing to return array of value. This add support multiple entries at the same `rel`
+
+## `2.0.6`
+
+* Allow Faraday up to `< 2.0`
+
 ## `2.0.5`
 
 * Use post-as-get

Gemfile

@@ -1,12 +1,12 @@
 source 'https://rubygems.org'
+
 gemspec
 
+if faraday_version = ENV['FARADAY_VERSION']
+  gem 'faraday', faraday_version
+end
+
 group :development, :test do
   gem 'pry'
-  gem 'rubocop', '~> 0.49.0'
   gem 'ruby-prof', require: false
-
-  if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('2.2.2')
-    gem 'activesupport', '~> 4.2.6'
-  end
 end

README.md

@@ -1,15 +1,11 @@
 # Acme::Client
 
-[![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
-
-`acme-client` is a client implementation of the ACMEv2 / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
+`acme-client` is a client implementation of the ACME / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
 
 You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
 ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.
 
-You can find ACMEv1 compatible client in the [acme-v1](https://github.com/unixcharles/acme-client/tree/acme-v1) branch.
-
 ## Installation
 
 Via RubyGems:
@@ -23,17 +19,26 @@ gem 'acme-client'
 ```
 
 ## Usage
-* [Setting up a client](#setting-up-a-client)
-* [Account management](#account-management)
-* [Obtaining a certificate](#obtaining-a-certificate)
-  * [Ordering a certificate](#ordering-a-certificate)
-  * [Completing an HTTP challenge](#preparing-for-http-challenge)
-  * [Completing an DNS challenge](#preparing-for-dns-challenge)
-  * [Requesting a challenge verification](#requesting-a-challenge-verification)
-  * [Downloading a certificate](#downloading-a-certificate)
-* [Extra](#extra)
-  * [Certificate revokation](#certificate-revokation)
-  * [Certificate renewal](#certificate-renewal)
+- [Acme::Client](#acmeclient)
+  - [Installation](#installation)
+  - [Usage](#usage)
+  - [Setting up a client](#setting-up-a-client)
+  - [Account management](#account-management)
+  - [Obtaining a certificate](#obtaining-a-certificate)
+    - [Ordering a certificate](#ordering-a-certificate)
+    - [Preparing for HTTP challenge](#preparing-for-http-challenge)
+    - [Preparing for DNS challenge](#preparing-for-dns-challenge)
+    - [Requesting a challenge verification](#requesting-a-challenge-verification)
+    - [Downloading a certificate](#downloading-a-certificate)
+    - [Ordering an alternative certificate](#ordering-an-alternative-certificate)
+  - [Extra](#extra)
+    - [Certificate revokation](#certificate-revokation)
+    - [Certificate renewal](#certificate-renewal)
+  - [Not implemented](#not-implemented)
+  - [Requirements](#requirements)
+  - [Development](#development)
+  - [Pull request?](#pull-request)
+  - [License](#license)
 
 ## Setting up a client
 
@@ -91,14 +96,23 @@ account.kid # => <kid string>
 
 If you already have an existing account (for example one created in ACME v1) please note that unless the `kid` is provided at initialization, the client will lazy load the `kid` by doing a `POST` to `newAccount` whenever the `kid` is required. Therefore, you can easily get your `kid` for an existing account and (if needed) store it for reuse:
 
-```
+```ruby
 client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
 
 # kid is not set, therefore a call to newAccount is made to lazy-initialize the kid
 client.kid
 => "https://acme-staging-v02.api.letsencrypt.org/acme/acct/000000"
 ```
 
+## External Account Binding support
+
+You can use External Account Binding by providing a `external_account_binding` with a `kid` and `hmac_key`.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme.zerossl.com/v2/DV90')
+account = client.new_account(contact: 'mailto:[email protected]', terms_of_service_agreed: true, external_account_binding: { kid: "your kid", hmac_key: "your hmac key"})
+```
+
 ## Obtaining a certificate
 ### Ordering a certificate
 
@@ -184,11 +198,27 @@ csr = Acme::Client::CertificateRequest.new(private_key: a_different_private_key,
 order.finalize(csr: csr)
 while order.status == 'processing'
   sleep(1)
-  challenge.reload
+  order.reload
 end
 order.certificate # => PEM-formatted certificate
 ```
 
+### Ordering an alternative certificate
+
+The provider may provide alternate certificate with different certificate chain. You can specify the required chain and the client will automatically download alternate certificate and match the chain by name.
+
+```ruby
+begin
+  order.certificate(force_chain: 'DST Root CA X3')
+rescue Acme::Client::Error::ForcedChainNotFound
+  order.certificate
+end
+```
+
+Note: if the specified forced chain doesn't match an existing alternative certificate the method will raise an `Acme::Client::Error::ForcedChainNotFound` error.
+
+Learn more about the original Github issue for this client [here](https://github.com/unixcharles/acme-client/issues/186), information from Let's Encrypt [here](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html), and cross-signing [here](https://letsencrypt.org/certificates/#cross-signing).
+
 ## Extra
 
 ### Certificate revokation
@@ -201,16 +231,22 @@ client.revoke(certificate: certificate)
 
 ### Certificate renewal
 
-The is no renewal process, just create a new order.
+There is no renewal process, just create a new order.
 
 
-## Not implemented
+### Account Key Roll-over
 
-- Account Key Roll-over.
+To change the key used for an account you can call `#account_key_change` with the new private key or jwk.
+
+```ruby
+require 'openssl'
+new_private_key = OpenSSL::PKey::RSA.new(4096)
+client.account_key_change(new_private_key: new_private_key)
+```
 
 ## Requirements
 
-Ruby >= 2.1
+Ruby >= 3.0
 
 ## Development
 
@@ -227,4 +263,3 @@ Yes.
 ## License
 
 [MIT License](http://opensource.org/licenses/MIT)
-