instant-acme/examples/provision.rs

use std::{io, time::Duration};

use clap::Parser;
use rcgen::{CertificateParams, DistinguishedName, KeyPair};
use tokio::time::sleep;
use tracing::{error, info};

use instant_acme::{
    Account, AuthorizationStatus, ChallengeType, Identifier, LetsEncrypt, NewAccount, NewOrder,
    OrderStatus,
};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    tracing_subscriber::fmt::init();
    let opts = Options::parse();

    // Create a new account. This will generate a fresh ECDSA key for you.
    // Alternatively, restore an account from serialized credentials by
    // using `Account::from_credentials()`.

    let (account, credentials) = Account::create(
        &NewAccount {
            contact: &[],
            terms_of_service_agreed: true,
            only_return_existing: false,
        },
        LetsEncrypt::Staging.url(),
        None,
    )
    .await?;
    info!(
        "account credentials:\n\n{}",
        serde_json::to_string_pretty(&credentials).unwrap()
    );

    // Create the ACME order based on the given domain names.
    // Note that this only needs an `&Account`, so the library will let you
    // process multiple orders in parallel for a single account.

    let identifier = Identifier::Dns(opts.name);
    let mut order = account
        .new_order(&NewOrder {
            identifiers: &[identifier],
        })
        .await
        .unwrap();

    let state = order.state();
    info!("order state: {:#?}", state);
    assert!(matches!(state.status, OrderStatus::Pending));

    // Pick the desired challenge type and prepare the response.

    let authorizations = order.authorizations().await.unwrap();
    let mut challenges = Vec::with_capacity(authorizations.len());
    for authz in &authorizations {
        match authz.status {
            AuthorizationStatus::Pending => {}
            AuthorizationStatus::Valid => continue,
            _ => todo!(),
        }

        // We'll use the DNS challenges for this example, but you could
        // pick something else to use here.

        let challenge = authz
            .challenges
            .iter()
            .find(|c| c.r#type == ChallengeType::Dns01)
            .ok_or_else(|| anyhow::anyhow!("no dns01 challenge found"))?;

        let Identifier::Dns(identifier) = &authz.identifier;

        println!("Please set the following DNS record then press the Return key:");
        println!(
            "_acme-challenge.{} IN TXT {}",
            identifier,
            order.key_authorization(challenge).dns_value()
        );
        io::stdin().read_line(&mut String::new()).unwrap();

        challenges.push((identifier, &challenge.url));
    }

    // Let the server know we're ready to accept the challenges.

    for (_, url) in &challenges {
        order.set_challenge_ready(url).await.unwrap();
    }

    // Exponentially back off until the order becomes ready or invalid.

    let mut tries = 1u8;
    let mut delay = Duration::from_millis(250);
    loop {
        sleep(delay).await;
        let state = order.refresh().await.unwrap();
        if let OrderStatus::Ready | OrderStatus::Invalid = state.status {
            info!("order state: {:#?}", state);
            break;
        }

        delay *= 2;
        tries += 1;
        match tries < 5 {
            true => info!(?state, tries, "order is not ready, waiting {delay:?}"),
            false => {
                error!(tries, "order is not ready: {state:#?}");
                return Err(anyhow::anyhow!("order is not ready"));
            }
        }
    }

    let state = order.state();
    if state.status != OrderStatus::Ready {
        return Err(anyhow::anyhow!(
            "unexpected order status: {:?}",
            state.status
        ));
    }

    let mut names = Vec::with_capacity(challenges.len());
    for (identifier, _) in challenges {
        names.push(identifier.to_owned());
    }

    // If the order is ready, we can provision the certificate.
    // Use the rcgen library to create a Certificate Signing Request.

    let mut params = CertificateParams::new(names.clone())?;
    params.distinguished_name = DistinguishedName::new();
    let private_key = KeyPair::generate()?;
    let csr = params.serialize_request(&private_key)?;

    // Finalize the order and print certificate chain, private key and account credentials.

    order.finalize(csr.der()).await.unwrap();
    let cert_chain_pem = loop {
        match order.certificate().await.unwrap() {
            Some(cert_chain_pem) => break cert_chain_pem,
            None => sleep(Duration::from_secs(1)).await,
        }
    };

    info!("certficate chain:\n\n{}", cert_chain_pem);
    info!("private key:\n\n{}", private_key.serialize_pem());
    Ok(())
}

#[derive(Parser)]
struct Options {
    #[clap(long)]
    name: String,
}
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`use std::{io, time::Duration};`

			`use clap::Parser;`
Upgrade example to rcgen 0.13 2024-07-26 08:15:19 +00:00			`use rcgen::{CertificateParams, DistinguishedName, KeyPair};`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`use tokio::time::sleep;`
			`use tracing::{error, info};`

			`use instant_acme::{`
			`Account, AuthorizationStatus, ChallengeType, Identifier, LetsEncrypt, NewAccount, NewOrder,`
			`OrderStatus,`
			`};`

			`#[tokio::main]`
			`async fn main() -> anyhow::Result<()> {`
			`tracing_subscriber::fmt::init();`
			`let opts = Options::parse();`

			`// Create a new account. This will generate a fresh ECDSA key for you.`
			`// Alternatively, restore an account from serialized credentials by`
			// using `Account::from_credentials()`.

Only provide AccountCredentials at account creation time 2023-08-01 08:16:53 +00:00			`let (account, credentials) = Account::create(`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`&NewAccount {`
			`contact: &[],`
			`terms_of_service_agreed: true,`
			`only_return_existing: false,`
			`},`
			`LetsEncrypt::Staging.url(),`
Add support for EAB in newAccount requests 2023-05-15 08:42:58 +00:00			`None,`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`)`
			`.await?;`
Only provide AccountCredentials at account creation time 2023-08-01 08:16:53 +00:00			`info!(`
			`"account credentials:\n\n{}",`
			`serde_json::to_string_pretty(&credentials).unwrap()`
			`);`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00
			`// Create the ACME order based on the given domain names.`
			// Note that this only needs an `&Account`, so the library will let you
			`// process multiple orders in parallel for a single account.`

			`let identifier = Identifier::Dns(opts.name);`
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`let mut order = account`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`.new_order(&NewOrder {`
			`identifiers: &[identifier],`
			`})`
			`.await`
			`.unwrap();`

Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`let state = order.state();`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`info!("order state: {:#?}", state);`
			`assert!(matches!(state.status, OrderStatus::Pending));`

			`// Pick the desired challenge type and prepare the response.`

Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`let authorizations = order.authorizations().await.unwrap();`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`let mut challenges = Vec::with_capacity(authorizations.len());`
			`for authz in &authorizations {`
			`match authz.status {`
			`AuthorizationStatus::Pending => {}`
			`AuthorizationStatus::Valid => continue,`
			`_ => todo!(),`
			`}`

			`// We'll use the DNS challenges for this example, but you could`
			`// pick something else to use here.`

			`let challenge = authz`
			`.challenges`
			`.iter()`
			`.find(\|c\| c.r#type == ChallengeType::Dns01)`
			`.ok_or_else(\|\| anyhow::anyhow!("no dns01 challenge found"))?;`

			`let Identifier::Dns(identifier) = &authz.identifier;`

Tweak example code 2023-08-01 08:17:16 +00:00			`println!("Please set the following DNS record then press the Return key:");`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`println!(`
			`"_acme-challenge.{} IN TXT {}",`
			`identifier,`
			`order.key_authorization(challenge).dns_value()`
			`);`
			`io::stdin().read_line(&mut String::new()).unwrap();`

			`challenges.push((identifier, &challenge.url));`
			`}`

			`// Let the server know we're ready to accept the challenges.`

			`for (_, url) in &challenges {`
			`order.set_challenge_ready(url).await.unwrap();`
			`}`

			`// Exponentially back off until the order becomes ready or invalid.`

			`let mut tries = 1u8;`
			`let mut delay = Duration::from_millis(250);`
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`loop {`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`sleep(delay).await;`
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`let state = order.refresh().await.unwrap();`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`if let OrderStatus::Ready \| OrderStatus::Invalid = state.status {`
			`info!("order state: {:#?}", state);`
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`break;`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`}`

			`delay *= 2;`
			`tries += 1;`
			`match tries < 5 {`
			`true => info!(?state, tries, "order is not ready, waiting {delay:?}"),`
			`false => {`
Tweak example code 2023-08-01 08:17:16 +00:00			`error!(tries, "order is not ready: {state:#?}");`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`return Err(anyhow::anyhow!("order is not ready"));`
			`}`
			`}`
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`}`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00
Maintain OrderState within Order type 2023-03-15 15:26:52 +00:00			`let state = order.state();`
			`if state.status != OrderStatus::Ready {`
			`return Err(anyhow::anyhow!(`
			`"unexpected order status: {:?}",`
			`state.status`
			`));`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`}`

			`let mut names = Vec::with_capacity(challenges.len());`
			`for (identifier, _) in challenges {`
			`names.push(identifier.to_owned());`
			`}`

			`// If the order is ready, we can provision the certificate.`
			`// Use the rcgen library to create a Certificate Signing Request.`

Upgrade example to rcgen 0.13 2024-07-26 08:15:19 +00:00			`let mut params = CertificateParams::new(names.clone())?;`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`params.distinguished_name = DistinguishedName::new();`
Upgrade example to rcgen 0.13 2024-07-26 08:15:19 +00:00			`let private_key = KeyPair::generate()?;`
			`let csr = params.serialize_request(&private_key)?;`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00
			`// Finalize the order and print certificate chain, private key and account credentials.`

Upgrade example to rcgen 0.13 2024-07-26 08:15:19 +00:00			`order.finalize(csr.der()).await.unwrap();`
Postpone certificate retrieval until order is valid 2023-03-15 15:27:40 +00:00			`let cert_chain_pem = loop {`
			`match order.certificate().await.unwrap() {`
			`Some(cert_chain_pem) => break cert_chain_pem,`
			`None => sleep(Duration::from_secs(1)).await,`
			`}`
			`};`

			`info!("certficate chain:\n\n{}", cert_chain_pem);`
Upgrade example to rcgen 0.13 2024-07-26 08:15:19 +00:00			`info!("private key:\n\n{}", private_key.serialize_pem());`
Add certificate provisioning example 2022-11-30 00:17:58 +00:00			`Ok(())`
			`}`

			`#[derive(Parser)]`
			`struct Options {`
			`#[clap(long)]`
			`name: String,`
			`}`