github
/
acme4j
mirror of https://github.com/shred/acme4j
1
0
Fork 0
Code Issues Releases Wiki Activity

Disable hardcoded Let's Encrypt server certificate

pull/38/head
Richard Körber 2017-09-20 20:53:35 +02:00
parent 0548fda9fd
commit 0f5b0e7b03
4 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptAcmeProvider.java
View File

@ -20,6 +20,8 @@ import org.shredzone.acme4j.connector.HttpConnector;
import org.shredzone.acme4j.exception.AcmeProtocolException; import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider; import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider; import org.shredzone.acme4j.provider.AcmeProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** /**
* An {@link AcmeProvider} for <em>Let's Encrypt</em>. * An {@link AcmeProvider} for <em>Let's Encrypt</em>.
@ -27,13 +29,14 @@ import org.shredzone.acme4j.provider.AcmeProvider;
* The {@code serverUri} is {@code "acme://letsencrypt.org"} for the production server, * The {@code serverUri} is {@code "acme://letsencrypt.org"} for the production server,
* and {@code "acme://letsencrypt.org/staging"} for a testing server. * and {@code "acme://letsencrypt.org/staging"} for a testing server.
* <p> * <p>
* If you want to use <em>Let's Encrypt</em>, always prefer to use this provider, as it * If you want to use <em>Let's Encrypt</em>, always prefer to use this provider.
* takes care for the correct connection and SSL certificates.
* *
* @see <a href="https://letsencrypt.org/">Let's Encrypt</a> * @see <a href="https://letsencrypt.org/">Let's Encrypt</a>
*/ */
public class LetsEncryptAcmeProvider extends AbstractAcmeProvider { public class LetsEncryptAcmeProvider extends AbstractAcmeProvider {
private static final Logger LOG = LoggerFactory.getLogger(LetsEncryptAcmeProvider.class);
private static final String V01_DIRECTORY_URI = "https://acme-v01.api.letsencrypt.org/directory"; private static final String V01_DIRECTORY_URI = "https://acme-v01.api.letsencrypt.org/directory";
private static final String STAGING_DIRECTORY_URI = "https://acme-staging.api.letsencrypt.org/directory"; private static final String STAGING_DIRECTORY_URI = "https://acme-staging.api.letsencrypt.org/directory";
@ -63,8 +66,14 @@ public class LetsEncryptAcmeProvider extends AbstractAcmeProvider {
} }
@Override @Override
@SuppressWarnings("deprecation")
protected HttpConnector createHttpConnector() { protected HttpConnector createHttpConnector() {
return new LetsEncryptHttpConnector(); if (Boolean.getBoolean("acme4j.le.certfix")) {
LOG.warn("Using a hardcoded Let's Encrypt certificate. It will expire by June 2018.");
return new LetsEncryptHttpConnector();
} else {
return super.createHttpConnector();
}
} }
} }

4
acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptHttpConnector.java
View File

@ -32,7 +32,11 @@ import org.shredzone.acme4j.connector.HttpConnector;
/** /**
* {@link HttpConnector} to be used for Let's Encrypt. It is pinned to the Let's Encrypt * {@link HttpConnector} to be used for Let's Encrypt. It is pinned to the Let's Encrypt
* server certificate. * server certificate.
*
* @deprecated API server certificate CA is accepted by current JREs. There is no need
* for certificate pinning any more. Hardcoded certificate will expire by June 25th, 2018.
*/ */
@Deprecated
public class LetsEncryptHttpConnector extends HttpConnector { public class LetsEncryptHttpConnector extends HttpConnector {
private static SSLSocketFactory sslSocketFactory; private static SSLSocketFactory sslSocketFactory;

8
src/site/markdown/ca/letsencrypt.md
View File

@ -8,13 +8,9 @@ Web site: [Let's Encrypt](https://letsencrypt.org)
* `acme://letsencrypt.org/staging` - Testing server * `acme://letsencrypt.org/staging` - Testing server
* `acme://letsencrypt.org/v01` - Production server, pinned to API v01 * `acme://letsencrypt.org/v01` - Production server, pinned to API v01
## Features ## Compatibility
* Accepts the ACME server certificate of Let's Encrypt even on older Java versions If you have to use a Java version that is older than 8u101 and does not accept the _IdenTrust_ certificates of the _Let's Encrypt_ servers, you can use a hardcoded local truststore as a workaround by setting the `acme4j.le.certfix` system property to `true`. Please note that the hardwired certificate will expire by June, 2018.
## Note
* _Let's Encrypt_ diverges from the ACME specifications for various reasons. For this reason, some parts of the _acme4j_ API may not behave as documented. [See here for more details.](https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md)
## Limits ## Limits

6
src/site/markdown/migration.md
View File

@ -2,6 +2,12 @@
This document will help you migrate your code to the latest _acme4j_ version. This document will help you migrate your code to the latest _acme4j_ version.
## Migration to Version 0.12
Java support for the _IdenTrust_ certificate that is used by _Let's Encrypt_ servers was added to JRE 8u101 in July 2016. For this reason, _acme4j_ does not need to use a hardcoded local truststore anymore. It has been disabled in this version, and the standard Java truststore is used instead.
If you have to use an older JRE, you can re-enable the local truststore by setting the `acme4j.le.certfix` system property to `true`. Please note that the local certificate will expire by June, 2018.
## Migration to Version 0.10 ## Migration to Version 0.10
Starting with version 0.10, _acme4j_ requires Java 8 or higher. This is also reflected in the API. Starting with version 0.10, _acme4j_ requires Java 8 or higher. This is also reflected in the API.