+972 52-548-6969
Building a Let’s Encrypt ACME V2 client
The Let’s Encrypt ACME v2 staging endpoint is live, with planned release date of February 27. This is a welcome event, primarily because it is going to bring wild card certificates support to Let’s Encrypt.
That is something that is quite interesting for us, so I sat down and built an ACME v2 client for C#. You can find the C# ACME v2 Let’s Encrypt client here, you’ll note that this is a gist containing a single file and indeed, this is all you need, with the only dependency being JSON.Net.
Here is how you use this code for certificate generation:
Note that the code itself is geared toward our own use case (generating the certs as part of a setup process) and it only handles DNS challenges. This is partly why it is not a project but a gist, because it is just to share what we have done with others, not to take it upon ourselves to build a full blown client.
I have to say that I like the V2 protocol much better, is seems much more intuitive to use and easier to work with. I particularly liked the fact that I can resume working on an order after a while, which means that failure modes such as failing to propagate a DNS update can now be much more easily recoverable. It also means that trying to run the same order twice for some reason doesn’t generate a new order, but resume the existing one, which is quite nice, given the rate limits imposed by Let’s Encrypt.
Note that the code is also making assumptions, such as caching details for you behind the scenes and not bother with other parts of the API that are not important for our needs (modifying an account or revoking a certificate).
Comments
Perfect ! But method UpdateDnsServer doesn't exist :)
nordic, Yes, because you need to integrate with your DNS provider for that.
Thank for the code! CertificateRequest and SubjectAlternativeNameBuilder are custom class?
Miguel, Nope, they are part of CoreCLR :-)
how to used http-01 challenge?
Kim, I'm using ACME 2 for the wildcard support, which requires DNS. If you want to use ACME 2 for this, look at the code and get the key auth challenge directly, then set it on the well known path an invoke the completion.
Miguel, you're probably targeting netstandard2.0 which doesn't include CertificateRequest and SubjectAlternativeNameBuilder.
If you target netcoreapp2.0 these problems go away.
As far as I can tell code won't work on Linux and MacOSX:
1. RSACryptoServiceProvider.ImportCspBlob(byte{}) isn't supported on Linux and MacOSX (line 103, 327)
2. X509Certificate2.X509Certificate2(byte []) isn't supported on MacOSX (line 289)
Thanks for all this work. I'm trying to use this in a visual studio website and getting lots of errors. When I use this class in a .NET Core project, problems go away...but I'm hoping to use this in a .net web site targeting .net 4.7...what would I need to do to get this to work there?
troy, I would assume that in 4.7 you'll need some additional assemblies?
Comment preview