mirror of
https://github.com/moepman/acertmgr.git
synced 2024-11-14 06:55:29 +01:00
configuration: Force user to agree to the authorities Terms of Service
Authorities (e.g. Let's Encrypt) usually have Terms of Serivce (ToS) that have to be agreed to. Up until this point we automatically indicated agreement to those ToS and sent the necessary value. This commit changes the behaviour to be in line with recommendations from Let's Encrypt that the user themselves have to indicate their agreement by no longer automatically doing so (except for cases of legacy configuration files to provide compatibility). The user can now indicate ToS agreement by either setting the associated configuration variable (authority_tos_agreement) to the required value and/or providing the required value via a command-line parameter (--authority-tos-agreement=<value>/--tos-agreement=<value>/--tos=<value>)
This commit is contained in:
parent
784badf54b
commit
316ecdba2e
@ -41,6 +41,8 @@ You can optionally provide the key files for the ACME protocol, if you do not th
|
||||
Finally, you need to setup the configuration files, as shown in the next section.
|
||||
While testing, you can use the acme-staging authority instead, in order to avoid issuing too many certificates.
|
||||
|
||||
Authorities (e.g. our default Let's Encrypt) will require you to accept their Terms of Service. This can be done either in the optional global config file and/or via a commandline parameter (see acertmgr.py --help).
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
@ -58,12 +60,12 @@ All configuration files can use yaml (requires PyYAML) or json syntax.
|
||||
#api: v1
|
||||
#authority: "https://acme-v01.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging.api.letsencrypt.org"
|
||||
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
#authority_tos_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
# Current (default) ACME v2 API with options:
|
||||
#api: v2
|
||||
#authority: "https://acme-v02.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging-v02.api.letsencrypt.org"
|
||||
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
|
||||
authority_tos_agreement: "true" # Indicates you agree to the ToS stated by the API provider
|
||||
#authority_contact_email: "foo@b.ar" # For single addresses
|
||||
#authority_contact_email: # For multiple addresses
|
||||
# - "foo@b.ar"
|
||||
|
@ -35,7 +35,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||
def __init__(self, config, key):
|
||||
AbstractACMEAuthority.__init__(self, config, key)
|
||||
self.ca = config['authority']
|
||||
self.agreement = config['authority_agreement']
|
||||
self.agreement = config['authority_tos_agreement']
|
||||
|
||||
# @brief create the header information for ACME communication
|
||||
# @param key the account key
|
||||
|
@ -34,7 +34,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||
AbstractACMEAuthority.__init__(self, config, key)
|
||||
# Initialize config vars
|
||||
self.ca = config['authority']
|
||||
self.agreement = str(config.get('authority_agreement')) == 'true'
|
||||
self.tos_agreed = str(config.get('authority_tos_agreement')).lower() == 'true'
|
||||
contact_email = config.get('authority_contact_email')
|
||||
if contact_email is None:
|
||||
self.contact = None
|
||||
@ -128,7 +128,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||
def register_account(self):
|
||||
protected = copy.deepcopy(self.account_protected)
|
||||
payload = {
|
||||
"termsOfServiceAgreed": self.agreement,
|
||||
"termsOfServiceAgreed": self.tos_agreed,
|
||||
"onlyReturnExisting": False,
|
||||
}
|
||||
if self.contact:
|
||||
|
@ -24,7 +24,7 @@ DEFAULT_KEY_LENGTH = 4096 # bits
|
||||
DEFAULT_TTL = 30 # days
|
||||
DEFAULT_API = "v2"
|
||||
DEFAULT_AUTHORITY = "https://acme-v02.api.letsencrypt.org"
|
||||
DEFAULT_AUTHORITY_AGREEMENT = "True"
|
||||
LEGACY_AUTHORITY_TOS_AGREEMENT = "true"
|
||||
|
||||
|
||||
# @brief augment configuration with defaults
|
||||
@ -54,7 +54,7 @@ def update_config_value(config, name, localconfig, globalconfig, default):
|
||||
|
||||
|
||||
# @brief load the configuration from a file
|
||||
def parse_config_entry(entry, globalconfig, work_dir):
|
||||
def parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement):
|
||||
config = dict()
|
||||
|
||||
# Basic domain information
|
||||
@ -71,8 +71,8 @@ def parse_config_entry(entry, globalconfig, work_dir):
|
||||
# Certificate authority
|
||||
update_config_value(config, 'authority', entry, globalconfig, DEFAULT_AUTHORITY)
|
||||
|
||||
# Certificate authority agreement
|
||||
update_config_value(config, 'authority_agreement', entry, globalconfig, DEFAULT_AUTHORITY_AGREEMENT)
|
||||
# Certificate authority ToS agreement
|
||||
update_config_value(config, 'authority_tos_agreement', entry, globalconfig, authority_tos_agreement)
|
||||
|
||||
# Certificate authority contact email addresses
|
||||
update_config_value(config, 'authority_contact_email', entry, globalconfig, None)
|
||||
@ -148,6 +148,8 @@ def load():
|
||||
help="domain configuration directory (default='{}')".format(DEFAULT_CONF_DIR))
|
||||
parser.add_argument("-w", "--work-dir", nargs="?",
|
||||
help="persistent work data directory (default=config_dir)")
|
||||
parser.add_argument("--authority-tos-agreement", "--tos-agreement", "--tos", nargs="?",
|
||||
help="Agree to the authorities Terms of Service (value required depends on authority)")
|
||||
args = parser.parse_args()
|
||||
|
||||
# Determine global configuration file
|
||||
@ -175,6 +177,15 @@ def load():
|
||||
# .. or use the domain configuration directory otherwise
|
||||
work_dir = domain_config_dir
|
||||
|
||||
# Determine authority agreement
|
||||
if args.authority_tos_agreement:
|
||||
authority_tos_agreement = args.authority_tos_agreement
|
||||
elif global_config_file == LEGACY_CONF_FILE:
|
||||
# Old global config file assumes ToS are agreed
|
||||
authority_tos_agreement = LEGACY_AUTHORITY_TOS_AGREEMENT
|
||||
else:
|
||||
authority_tos_agreement = None
|
||||
|
||||
# load global configuration
|
||||
globalconfig = dict()
|
||||
if os.path.isfile(global_config_file):
|
||||
@ -203,11 +214,11 @@ def load():
|
||||
try:
|
||||
import json
|
||||
for entry in json.load(config_fd).items():
|
||||
config.append(parse_config_entry(entry, globalconfig, work_dir))
|
||||
config.append(parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement))
|
||||
except ValueError:
|
||||
import yaml
|
||||
config_fd.seek(0)
|
||||
for entry in yaml.safe_load(config_fd).items():
|
||||
config.append(parse_config_entry(entry, globalconfig, work_dir))
|
||||
config.append(parse_config_entry(entry, globalconfig, work_dir, authority_tos_agreement))
|
||||
|
||||
return config
|
||||
|
@ -4,12 +4,12 @@
|
||||
#api: v1
|
||||
#authority: "https://acme-v01.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging.api.letsencrypt.org"
|
||||
#authority_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
#authority_tos_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
|
||||
# Current (default) ACME v2 API with options:
|
||||
#api: v2
|
||||
#authority: "https://acme-v02.api.letsencrypt.org"
|
||||
#authority: "https://acme-staging-v02.api.letsencrypt.org"
|
||||
#authority_agreement: "True" # Indicates you agree to the ToS stated by the API provider
|
||||
authority_tos_agreement: "true" # Indicates you agree to the ToS stated by the API provider
|
||||
#authority_contact_email: "foo@b.ar" # For single addresses
|
||||
#authority_contact_email: # For multiple addresses
|
||||
# - "foo@b.ar"
|
||||
|
Loading…
Reference in New Issue
Block a user