Download the PHP package mbretter/acme2-library without Composer
On this page you can find all versions of the php package mbretter/acme2-library. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download mbretter/acme2-library
More information about mbretter/acme2-library
Files in mbretter/acme2-library
Package acme2-library
Short Description ACME2 low level library
License MIT
Homepage https://github.com/mbretter/acme2
Informations about the package acme2-library
acme2-library
ACME2 low level php library
This library has been built to be integrated into applications, not as a standalone acme client.
The ACME2 specs: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html
Benefits:
- no dependencies to other packages, like http clients
- it comes up with a builtin http client (based on PHP streams), though any other PSR-7 compliant http client could be used
- the PSR-7 implementation is heavily based on slim, with some modifications
- it uses standardclasses and arrays, no fancy data objects or sophisticated data models
- it does not take care about data storage, it is up to you to store credentials/orders/states
namespaces
acme
The Acme class is the manager for all requests, it carries the directory, the private key, fetches nonces and is the interface between the resource objects and the http client.
resources
You can create the objects yourself, this is useful, if you have your own DI/Container system:
The other way ist to use the acme object to retrieve the resource objects, which is more fluent:
account management
Before you can send any other requests you must subscribe for an account, this is done by generating your private key and submitting the create call.
You have to store the private key PEM and the kid somewhere in your system.
account lookup
If you have the PEM only, the key id can be retrieved using the lookup method:
account deactivation
orders
create new order
create an order for a wildcard domain:
Note: When using wildcard domains, Lets encrypt supports DNS validation only.
get an existing order
example output:
authorization
Basically there are two possibilities to validate your orders, the first one is to put the key authorization into a wellknown path and the other one is to provision a DNS TXT record with the authentication key.
Once you have done one of these steps, you have to tell the CA to verify the order, the verification is done by either querying the DNS record or by fetching the key authorization from the well known path.
The authentication must be done for each identifier added to the order, each authentication usually offers the DNS and the HTTP method, they are called challenges, for wildcard domains the DNS challenge is supported only.
practically, only one challenge type needs to succeed for successfully validating the identifier.
DNS challenge
The DNS TXT record, where you have to put the auth key, is called _acme-challenge, e.g.
_acme-challenge.example.org 300 IN TXT "w2toDKxcQx2N8zcu4HnDboT1FceHs7lupLMTXsPbXCQ".
You can put multiple TXT records with the same name there, this is needed if you are using wildcard domains and an alternative subject name with the domainname.
HTTP challenge
When using HTTP challenges, you have to put the auth key under the path:
/.well-known/acme-challenge/<token>
/.well-known/acme-challenge/LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0
The token can be found inside the challenge data.
The Content-Type of the response must be application/octet-stream.
Important: the well known path must be available using HTTP not HTTPS, even if you have a valid certificate, otherwise you will have problems when renewing your certificate.
finalize
ToDo
download the certificate
ToDo
renew
ToDo
ToDos
- EC keys