ACME Integration

This section describes the integration with the Automated Certificate Management Environment (ACME) protocol, enabling automated issuance and renewal of SSL/TLS certificates.

Key Functionalities

ACME Dashboard

• Endpoint: /acme
• Description: Provides an overview of active ACME accounts and a list of recent ACME orders, offering a quick status glance.

ACME Account Management

• Endpoints:
  • GET /acme/accounts: Lists all ACME accounts configured in the system.
  • GET /acme/accounts/create: Displays the form for creating a new ACME account.
  • POST /acme/accounts: Submits data to register a new ACME account with an ACME server.
• Requirements for Account Creation:
  • email: A required email address for the ACME account.
  • acme_server: The URL of the ACME server (e.g., Let's Encrypt staging or production endpoint).
  • contact: An optional array of contact strings.
• Process: The system uses the AcmeService to register the account with the specified ACME server.
• Audit Logging: Records ACME account creation events and any associated failures.

ACME Order Management

• Endpoints:
  • GET /acme/orders/create: Displays the form for creating a new ACME order.
  • POST /acme/orders: Submits data to initiate a new ACME order for certificate issuance.
• Requirements for Order Creation:
  • account_id: The ID of an existing, active ACME account.
  • domains: A required comma-separated string of domain names for which the certificate is requested.
• Process: The system validates the domain formats and then uses the AcmeService to create the order with the ACME server.
• Audit Logging: Records ACME order creation events and any associated failures.

ACME Challenge Management

• Endpoints:
  • GET /acme/orders/{order}/challenges: Displays the challenges that need to be completed for a specific ACME order.
  • POST /acme/challenges/{challenge}/respond: Submits a response to a specific ACME challenge.
• Challenge Types: Supports common ACME challenge types, including http-01 and dns-01.
• Process:
  1. Challenge Retrieval: The system retrieves the current challenges for an order from the ACME server via AcmeService.
  2. Challenge Preparation: Based on the challenge_type (e.g., http-01 or dns-01), the AcmeService prepares the necessary data (e.g., a file content for http-01, a DNS TXT record for dns-01).
  3. Challenge Response: The system informs the ACME server that the challenge has been met using AcmeService->respondToChallenge(). This typically involves the user deploying the prepared data (e.g., creating a file on their web server, adding a DNS record).
  4. Status Update: The status of the AcmeChallenge is updated in the system.
• Audit Logging: Records challenge viewing and response events, along with any failures.

Inferred Specifications

• ACME Protocol Compliance: The system adheres to the ACME protocol for secure and automated certificate management.
• Automated Certificate Lifecycle: The primary goal is to automate the entire process of obtaining, validating, and renewing SSL/TLS certificates.
• Flexible Account Configuration: Users can configure multiple ACME accounts with different email contacts and target different ACME servers.
• Multi-Domain Support: ACME orders can be created for multiple domain names within a single certificate.
• Supported Challenge Types: The system explicitly supports http-01 and dns-01 challenge types for domain validation.
• Robust Domain Validation: Basic validation of domain names is performed during order creation.
• Comprehensive Audit Trail: All critical ACME operations, including account creation, order initiation, challenge viewing, and challenge responses, are logged for security, compliance, and troubleshooting.
• User Authentication: All ACME-related operations require an authenticated user, ensuring accountability.
• Error Handling: The system includes robust error handling and logging mechanisms for ACME interactions, providing clear feedback on failures.