- * If you want to use Let's Encrypt, always prefer to use this provider, as it - * takes care for the correct connection and SSL certificates. + * If you want to use Let's Encrypt, always prefer to use this provider. * * @see Let's Encrypt */ public class LetsEncryptAcmeProvider extends AbstractAcmeProvider { + private static final Logger LOG = LoggerFactory.getLogger(LetsEncryptAcmeProvider.class); + private static final String V01_DIRECTORY_URI = "https://acme-v01.api.letsencrypt.org/directory"; private static final String STAGING_DIRECTORY_URI = "https://acme-staging.api.letsencrypt.org/directory"; @@ -63,8 +66,14 @@ public class LetsEncryptAcmeProvider extends AbstractAcmeProvider { } @Override + @SuppressWarnings("deprecation") protected HttpConnector createHttpConnector() { - return new LetsEncryptHttpConnector(); + if (Boolean.getBoolean("acme4j.le.certfix")) { + LOG.warn("Using a hardcoded Let's Encrypt certificate. It will expire by June 2018."); + return new LetsEncryptHttpConnector(); + } else { + return super.createHttpConnector(); + } } } diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptHttpConnector.java b/acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptHttpConnector.java index a8972a51..1f719561 100644 --- a/acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptHttpConnector.java +++ b/acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptHttpConnector.java @@ -32,7 +32,11 @@ import org.shredzone.acme4j.connector.HttpConnector; /** * {@link HttpConnector} to be used for Let's Encrypt. It is pinned to the Let's Encrypt * server certificate. + * + * @deprecated API server certificate CA is accepted by current JREs. There is no need + * for certificate pinning any more. Hardcoded certificate will expire by June 25th, 2018. */ +@Deprecated public class LetsEncryptHttpConnector extends HttpConnector { private static SSLSocketFactory sslSocketFactory; diff --git a/src/site/markdown/ca/letsencrypt.md b/src/site/markdown/ca/letsencrypt.md index 0f9d19d5..f2b2c43c 100644 --- a/src/site/markdown/ca/letsencrypt.md +++ b/src/site/markdown/ca/letsencrypt.md @@ -8,13 +8,9 @@ Web site: [Let's Encrypt](https://letsencrypt.org) * `acme://letsencrypt.org/staging` - Testing server * `acme://letsencrypt.org/v01` - Production server, pinned to API v01 -## Features +## Compatibility -* Accepts the ACME server certificate of Let's Encrypt even on older Java versions - -## Note - -* _Let's Encrypt_ diverges from the ACME specifications for various reasons. For this reason, some parts of the _acme4j_ API may not behave as documented. [See here for more details.](https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md) +If you have to use a Java version that is older than 8u101 and does not accept the _IdenTrust_ certificates of the _Let's Encrypt_ servers, you can use a hardcoded local truststore as a workaround by setting the `acme4j.le.certfix` system property to `true`. Please note that the hardwired certificate will expire by June, 2018. ## Limits diff --git a/src/site/markdown/migration.md b/src/site/markdown/migration.md index ea06ee79..16147eff 100644 --- a/src/site/markdown/migration.md +++ b/src/site/markdown/migration.md @@ -2,6 +2,12 @@ This document will help you migrate your code to the latest _acme4j_ version. +## Migration to Version 0.12 + +Java support for the _IdenTrust_ certificate that is used by _Let's Encrypt_ servers was added to JRE 8u101 in July 2016. For this reason, _acme4j_ does not need to use a hardcoded local truststore anymore. It has been disabled in this version, and the standard Java truststore is used instead. + +If you have to use an older JRE, you can re-enable the local truststore by setting the `acme4j.le.certfix` system property to `true`. Please note that the local certificate will expire by June, 2018. + ## Migration to Version 0.10 Starting with version 0.10, _acme4j_ requires Java 8 or higher. This is also reflected in the API.