Hi guys,

we have a problem to renew certificates, because we get an authorization errors. The real issue is that let's encrypt has changed (in January) the expire date of the authorization challenges from 60days to 30days (according to this: https://community.letsencrypt.org/t/upcoming-api-changes/17947).

Acutally, let's encrypt send us an email 10days before our certificate expire, but if we renew the certificate only 10days before with acmephp we get an error saying that we don't have authorization. So we need to re-run the whole authorization process and get a new certificate.

You can try to see your active authorization in .acmephp/master/private/yourdomain.com/authorization_challenge.json. Try to make a request to the url that you find in the "url" key: if you get a 404, you need to re-run the authorization, otherwise, you can make a renew.

What we can do? Run the renew each month, when the authorization is still valid.

It's sound strange that let's encrypt (with 100.000.000 certs) can't get an authorization more than 30days, but I think that the problem we got to renew a certificate is this one.

I am unable to renew the certificates on my 2 domains. One has already expired, the other is about to. I updated to the beta-2 and reran the commands with no luck. The cert files and such are also not being updated. Any idea what I could be doing wrong here?

http://i.imgur.com/jWAagJl.png

• [x] Tests
• [x] Rename challenger into ChallengeSolver
• [x] I don't like the "output" directly in challenger. The solver should "speak". => Maybe add method (getSolvingRecommendations)

ECDSA certificate signing is a completed feature of Let's Encrypt as of February, and ECDSA intermediates are expected by April 2017. Do you plan on making ECDSA certificate signing an option in the beta release?

Hi @tgalopin,

You mentioned in #3 that if I had any other questions, feel free to ask, so I'm cashing in on that offer. ;)

So I have just a few.

1. With the dns-01 challenge (yet to be implemented here, but I know it's on the todo list), it should automatically cover any subdomains in the certificate's Subject Alternate Name right? For instance if the certificate were for mydomain.com and the SAN had www.mydomain.com a single, successful dns-01 challenge that had the appropriate TXT record would be sufficient to cover both, and we could then get a certificate?

• Right now we are having to issue two http-01 challenges, one for mydomain.com, and another for www.mydomain.com, (even though they point to the same IP in 99% of cases) so we're trying to streamline that process if possible. And my thought was that implementing the dns-01 challenge might solve that. I'm not sure.

2. If I'm correct about that, are you already working on implementing the dns-01 challenge? We were thinking about forking the code and submitting a PR, but I'm sure you would be able to do it faster than us and probably already have an idea on how you want to design the code to handle this, especially if you're already working on it.

Thanks again for the awesome library

Running bin/acme authorize '*.domain.ext' gives following error -

In AuthorizeCommand.php line 95:

  This ACME server does not expose supported challenge.

In such case, acmephp should set dns as default resolver(If the domain starts with *)

if user specifies any non-dns solver, then error should be thrown that non-dns solvers are not allowed by acme in wildcard domains.

Everything looks fine in the CLI output...

$ php acmephp.phar --version
Acme PHP - Let's Encrypt client version 1.0.0-beta2

$ php acmephp.phar -n -v request art-und-weise.org -a www.art-und-weise.org
Loading account key pair...
Current certificate will expire in less than a week (2016-12-25 14:07:00), renewal is required.
Loading domain key pair...
Loading domain distinguished name...
Renewing certificate for domain art-und-weise.org ...

... however, the certs remain untouched:

$ ll .acmephp/master/certs/art-und-weise.org/
total 28
drwxr-s---+ 2 vm-admin www   76 26. Sep 15:40 .
drwxr-s---+ 4 vm-admin www   60 24. Okt 17:19 ..
-rw-------+ 1 vm-admin www 2179 26. Sep 17:07 cert.pem
-rw-------+ 1 vm-admin www 1647 26. Sep 17:07 chain.pem
-rw-------+ 1 vm-admin www 7098 26. Sep 17:07 combined.pem
-rw-------+ 1 vm-admin www 3826 26. Sep 17:07 fullchain.pem

... whereas distinguished_name.json is loaded:

$ ll .acmephp/master/private/art-und-weise.org/
total 28
drwxr-s---+ 2 vm-admin www  106 26. Sep 15:40 .
drwxr-s---+ 8 vm-admin www 4096 24. Okt 17:10 ..
-rw-------+ 1 vm-admin www  414 26. Sep 12:39 authorization_challenge.json
-rw-------+ 1 vm-admin www  286 20. Dez 16:59 distinguished_name.json
-rw-------+ 1 vm-admin www 3272 26. Sep 15:39 private.pem
-rw-------+ 1 vm-admin www  800 26. Sep 15:39 public.pem

My environment:

$ php --version
PHP 5.5.38-pl0-gentoo (cli) (built: Dec  5 2016 13:22:50) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

When testing with beta-3, I received:

Loading account key pair...  
Current certificate will expire in less than a week (2016-12-25 14:07:00), renewal is required.  
Loading domain key pair...  
Loading domain distinguished name...  
Renewing certificate for domain art-und-weise.org ...  

  [AcmePhp\Core\Exception\Server\UnauthorizedServerException (403)]                                                                                                                                                           
  [unauthorized] The client lacks sufficient authorization: Error creating new cert :: Authorizations for these names not found or expired: art-und-weise.org, www.art-und-weise.org (on request "POST https://acme-v01.api.
letsencrypt.org/acme/new-cert") 

What can be done to avoid an unpleasant christmas surprise? Thanks for your support.

Fixes #23

This PR contains 1 BC break DataSigner::signData now takes a string alg (RS256, ES384, ...) instead of a int (OPENSSL_ALGO_SHA256). bacause the the method openssl_sign returns a format PKCS, wereas EC256 expect a specific format.

First off, thanks for any time you can spend reviewing this PR! We greatly appreciate the work done on this lib and would love to give back. Revoke kind of helps round out the flow for managing a certificate.

I took some ideas from the python library as there is not much documentation on revoke, but it's simple enough. You can revoke once, and then subsequent attempts error our with a 409.

You must use the same account keypair used to request the certificate to sign the request.

That's about it!

$ php acmephp.phar --version
Acme PHP - Let's Encrypt client version 1.0.0-beta2

$ php acmephp.phar self-update
Updating...

Error: file_get_contents(): Peer certificate CN=`*.s3.amazonaws.com' did not match expected CN=`github.com'

You can also select update stability using --dev, --pre (alpha/beta/rc) or --stable.

Hi, I have site secured by the CloudFlare DNS and it provides its own ssl certificate that handles communication from client to DNS/CloudFlare. But communication from CF to server is not encrypted so CF offers free SSL certificate(or you can upload your own) for this purpose. I have opted for the free one(since it can be valid for 15 years it you like = no hassle with updating LE). I am trying to put it into my system that handles proxying and other stuff and the CertificateParser class will fail to parse the certificate because of missing issuer[CN] value.

So I am wondering who got this wrong - the parser or the issuer?

Logged an error every few hours in production:

AcmePhp\Core\Http\ServerErrorHandler::getResponseBodySummary(): Return value must be of type string, null returned

I think the answer is simply to adjust the return type to allow null (since \GuzzleHttp\Psr7\get_message_body_summary is capable of returning null)

git has tagged here the source for 2.1.0 but the website still tells you cli commands to get 1.0.1. im not even sure a user could use brain to get around that, as the newer tagged versions dont have the phar or signature files anymore.

I am receiving an error when trying to renew domains using acmephp. The below command throws an error. The argument values have been redacted...

php ~/acmephp.phar request --force --verbose --country "XXX" --province "XXX" --locality "XXX" --organization "XXX" --unit "XXX" --email "XXX" --alternative-name www.talus2.com talus2.com

Error details are below...

Loading account key pair...
Forced renewal.
Loading domain key pair...
Loading domain distinguished name...
Loading the order related to the domains talus2.com, www.talus2.com ...
Renewing certificate for domain talus2.com ...

In ServerErrorHandler.php line 107:

[AcmePhp\Core\Exception\Server\MalformedServerException (404)]
[malformed] The request message was malformed: No order for ID 72035838400 (on request "GET https://acme-v02.api.letsencrypt.org/acme/order/410462640/72035838400")

Exception trace: AcmePhp\Core\Http\ServerErrorHandler->createAcmeExceptionForResponse() at phar:///home/web/acmephp.phar/src/Core/Http/SecureHttpClient.php:344 AcmePhp\Core\Http\SecureHttpClient->handleClientException() at phar:///home/web/acmephp.phar/src/Core/Http/SecureHttpClient.php:224 AcmePhp\Core\Http\SecureHttpClient->unsignedRequest() at phar:///home/web/acmephp.phar/src/Core/Http/SecureHttpClient.php:197 AcmePhp\Core\Http\SecureHttpClient->signedKidRequest() at phar:///home/web/acmephp.phar/src/Core/AcmeClient.php:225 AcmePhp\Core\AcmeClient->finalizeOrder() at phar:///home/web/acmephp.phar/src/Cli/Command/RequestCommand.php:314 AcmePhp\Cli\Command\RequestCommand->executeRenewal() at phar:///home/web/acmephp.phar/src/Cli/Command/RequestCommand.php:100 AcmePhp\Cli\Command\RequestCommand->execute() at phar:///home/web/acmephp.phar/vendor/symfony/console/Command/Command.php:255 Symfony\Component\Console\Command\Command->run() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:946 Symfony\Component\Console\Application->doRunCommand() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:248 Symfony\Component\Console\Application->doRun() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:148 Symfony\Component\Console\Application->run() at phar:///home/web/acmephp.phar/bin/acme:41 require() at /home/web/acmephp.phar:10

In RequestException.php line 113:

[GuzzleHttp\Exception\ClientException (404)]
Client error: GET https://acme-v02.api.letsencrypt.org/acme/order/410462640/72035838400 resulted in a 404 Not Found response:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "No order for ID 72035838400",
"status": 404
}

Exception trace: GuzzleHttp\Exception\RequestException::create() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/guzzle/src/Middleware.php:66 GuzzleHttp\Middleware::GuzzleHttp{closure}() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:203 GuzzleHttp\Promise\Promise::callHandler() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:156 GuzzleHttp\Promise\Promise::GuzzleHttp\Promise{closure}() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/TaskQueue.php:47 GuzzleHttp\Promise\TaskQueue->run() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:246 GuzzleHttp\Promise\Promise->invokeWaitFn() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:223 GuzzleHttp\Promise\Promise->waitIfPending() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:267 GuzzleHttp\Promise\Promise->invokeWaitList() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:225 GuzzleHttp\Promise\Promise->waitIfPending() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/promises/src/Promise.php:62 GuzzleHttp\Promise\Promise->wait() at phar:///home/web/acmephp.phar/vendor/guzzlehttp/guzzle/src/Client.php:106 GuzzleHttp\Client->send() at phar:///home/web/acmephp.phar/src/Core/Http/SecureHttpClient.php:222 AcmePhp\Core\Http\SecureHttpClient->unsignedRequest() at phar:///home/web/acmephp.phar/src/Core/Http/SecureHttpClient.php:197 AcmePhp\Core\Http\SecureHttpClient->signedKidRequest() at phar:///home/web/acmephp.phar/src/Core/AcmeClient.php:225 AcmePhp\Core\AcmeClient->finalizeOrder() at phar:///home/web/acmephp.phar/src/Cli/Command/RequestCommand.php:314 AcmePhp\Cli\Command\RequestCommand->executeRenewal() at phar:///home/web/acmephp.phar/src/Cli/Command/RequestCommand.php:100 AcmePhp\Cli\Command\RequestCommand->execute() at phar:///home/web/acmephp.phar/vendor/symfony/console/Command/Command.php:255 Symfony\Component\Console\Command\Command->run() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:946 Symfony\Component\Console\Application->doRunCommand() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:248 Symfony\Component\Console\Application->doRun() at phar:///home/web/acmephp.phar/vendor/symfony/console/Application.php:148 Symfony\Component\Console\Application->run() at phar:///home/web/acmephp.phar/bin/acme:41 require() at /home/web/acmephp.phar:10

request [-f|--force] [--country COUNTRY] [--province PROVINCE] [--locality LOCALITY] [--organization ORGANIZATION] [--unit UNIT] [--email EMAIL] [-a|--alternative-name ALTERNATIVE-NAME] [--]

Hey, I may have missed the obvious, but is there any documentation besides examples?

The landing page https://acmephp.github.io/ tells me there are at least four command line arguments:

# Register your account key in Let's Encrypt
$ php acmephp.phar register [email protected]

# Prove you own the domain "mydomain.com"
$ php acmephp.phar authorize mydomain.com

# Ask the server to check your proof
$ php acmephp.phar check mydomain.com

# Get the certificate!
$ php acmephp.phar request mydomain.com

On the other hand php acmephp.phar --help tells me that php acmephp.phar list would list all commands, but it lists:

Available commands:
  help         Displays help for a command
  list         Lists commands
  revoke       Revoke a SSL certificate for a domain
  run          Automatically challenge domains and request certificates configured in the given file
  self-update  Update acmephp.phar to most recent stable, pre-release or development build.
  status       List all the certificates handled by Acme PHP

There is no mention of the above commands... And it looks like they don't work (version mismatch?!).

Well okay, https://acmephp.github.io/documentation/getting-started/2-obtain-certificate-easy.html tells me I should use php acmephp.phar run config.yml with a config-file. The example config-file is also in the readme. But other than this I cannot find any documentation what keys and values I can use in the config file, how it should be structured and what the keys/values actually do. Is this all what is available, or did I miss something?

My basic questions are:

• How do I set the ACME provider used? I don't want to use LetsEncrypt, I'd like to use https://acme.sectigo.com/v2/DV instead
• How do I set the destination for the http challenge file? document root is on the local filesysem, I don't need ftp

Thx

AcmePhp\Cli\Command\SelfUpdateCommand uses features of the abandoned package padraic/phar-updater.

I'm not sure about a proper replacement. https://github.com/consolidation/self-update seems to have similar features.