v1.26.0

Closes https://github.com/certd/certd/issues/200

.github/workflows/build-image.yml

@@ -0,0 +1,101 @@
+name: build-image
+on:
+  push:
+    branches: ['v2']
+    paths:
+      - "build.trigger"
+
+#  schedule:
+#    - # 国际时间 19:17 执行，北京时间3:17  ↙↙↙ 改成你想要每天自动执行的时间
+#    - cron: '17 19 * * *'
+permissions:
+  contents: read
+
+jobs:
+  build-certd-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: get_certd_version
+        id: get_certd_version
+        uses: actions/github-script@v6
+        with:
+          result-encoding: string
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const pnpmWorkspace = "./pnpm-workspace.yaml";
+            fs.unlinkSync(pnpmWorkspace)
+            const jsonFilePath = "./packages/ui/certd-server/package.json";
+            const jsonContent = fs.readFileSync(jsonFilePath, 'utf-8');
+            const pkg = JSON.parse(jsonContent)
+            console.log("certd_version:",pkg.version);
+            return pkg.version
+#      - name: Use Node.js
+#        uses: actions/setup-node@v4
+#        with:
+#          node-version: 18
+#          cache: 'npm'
+#        working-directory: ./packages/ui/certd-client
+      - run: |
+          npm install -g pnpm@8.15.7
+          pnpm install
+          npm run build
+        working-directory: ./packages/ui/certd-client
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to aliyun container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.cn-shenzhen.aliyuncs.com
+          username: ${{ secrets.aliyun_cs_username }}
+          password: ${{ secrets.aliyun_cs_password }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.dockerhub_username }}
+          password: ${{ secrets.dockerhub_password }}
+
+      - name: Build default platforms
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          context: ./packages/ui/
+          tags: |
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd:latest
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd:${{steps.get_certd_version.outputs.result}}
+            greper/certd:latest
+            greper/certd:${{steps.get_certd_version.outputs.result}}
+
+      - name: Build armv7
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/arm/v7
+          push: true
+          context: ./packages/ui/
+          tags: |
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd:armv7
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd:${{steps.get_certd_version.outputs.result}}-armv7
+            greper/certd:armv7
+            greper/certd:${{steps.get_certd_version.outputs.result}}-armv7
+
+      - name: Build agent
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          context: ./packages/ui/agent/
+          tags: |
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd-agent:latest
+            registry.cn-shenzhen.aliyuncs.com/handsfree/certd-agent:${{steps.get_certd_version.outputs.result}}
+            greper/certd-agent:latest
+            greper/certd-agent:${{steps.get_certd_version.outputs.result}}

.github/workflows/deploy-demo.yml

@@ -0,0 +1,55 @@
+name: deploy-demo
+on:
+  push:
+    branches: ['v2']
+    paths:
+      - "deploy.trigger"
+  workflow_run:
+    workflows: [ "build-image" ]
+    types:
+      - completed
+
+#  schedule:
+#    - # 国际时间 19:17 执行，北京时间3:17  ↙↙↙ 改成你想要每天自动执行的时间
+#    - cron: '17 19 * * *'
+permissions:
+  contents: read
+
+jobs:
+  deploy-certd-demo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: get_certd_version
+        id: get_certd_version
+        uses: actions/github-script@v6
+        with:
+          result-encoding: string
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const jsonFilePath = "./packages/ui/certd-server/package.json";
+            const jsonContent = fs.readFileSync(jsonFilePath, 'utf-8');
+            const pkg = JSON.parse(jsonContent)
+            console.log("certd_version:",pkg.version);
+            return pkg.version
+      - uses: GuillaumeFalourd/wait-sleep-action@v1
+        with:
+          time: '10' # for 60 seconds
+      - name: Send HTTP request
+        id: request
+        uses: tyrrrz/action-http-request@master
+        with:
+          url: http://flow-openapi.aliyun.com/pipeline/webhook/lzCzlGrLCOHQaTMMt0mG
+          method: POST
+          headers: |
+            Content-Type: application/json
+          body: |
+            {
+              "CERTD_VERSION": "${{steps.get_certd_version.outputs.result}}"
+            }
+          retry-count: 3
+          retry-delay: 5000
+
+

.github/workflows/sync-to-gitee.yml

@@ -2,8 +2,6 @@ name: sync-to-gitee
 on:
   push:
     branches: ['v2']
-  pull_request:
-    branches: ['v2']
 #  schedule:
 #    - # 国际时间 19:17 执行，北京时间3:17  ↙↙↙ 改成你想要每天自动执行的时间
 #    - cron: '17 19 * * *'

.gitignore

@@ -1,3 +1,4 @@
+./packages/core/lego
 # IntelliJ project files
 .vscode/
 node_modules/
@@ -18,17 +19,13 @@ gen
 /*.log
 
 /packages/ui/*/.idea
-
 /packages/ui/*/node_modules
-
 /packages/*/node_modules
-/packages/ui/certd-server/tmp/
-/packages/ui/certd-ui/dist/
-/other
-/dev-sidecar-test
-/packages/core/certd/yarn.lock
-/packages/test
-/test/own
 /pnpm-lock.yaml
 
-docker/image/workspace
+
+tsconfig.tsbuildinfo
+test/**/*.js
+/packages/ui/certd-server/data/db.sqlite
+/packages/ui/certd-server/data/keys.yaml
+/packages/pro/

.npmrc

@@ -0,0 +1,2 @@
+link-workspace-packages=true
+prefer-workspace-packages=true

.prettierrc

@@ -0,0 +1,7 @@
+{
+  "printWidth": 160,
+  "bracketSpacing": true,
+  "singleQuote": true,
+  "trailingComma": "es5",
+  "arrowParens": "avoid"
+}

CHANGELOG.md

@@ -3,6 +3,473 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.26.0](https://github.com/certd/certd/compare/v1.25.9...v1.26.0) (2024-10-10)
+
+### Bug Fixes
+
+* 修复管理员编辑其他用户流水线任务时归属userid也被修改的bug ([e85c477](https://github.com/certd/certd/commit/e85c47744cf740b4af3b93dca7c2f0ccc818ec2f))
+* 修复历史记录根据流水线名称查询报错的bug ([ce9a986](https://github.com/certd/certd/commit/ce9a9862f122fce2186e7727eaa4b251b59e6032))
+* 修复某些代理情况下 报 400 The plain HTTP request was sent to HTTPS port use proxy 的bug ([a13203f](https://github.com/certd/certd/commit/a13203fb3f48c427d0d81a504912248dcc07df1a))
+
+### Features
+
+* 域名验证方法支持CNAME间接方式，此方式支持所有域名注册商，且无需提供Access授权，但是需要手动添加cname解析 ([f3d3508](https://github.com/certd/certd/commit/f3d35084ed44f9f33845f7045e520be5c27eed93))
+* 站点个性化设置 ([11a9fe9](https://github.com/certd/certd/commit/11a9fe9014d96cba929e5a066e78f2af7ae59d14))
+
+### Performance Improvements
+
+* 并行任务名称改成添加任务，取消并行，可以在同一个阶段获取上一个task的输出 ([c5e5877](https://github.com/certd/certd/commit/c5e58770d1c5edc19c6f9ea1618f44b68e091f35))
+* 调整静态资源到static目录 ([0584b36](https://github.com/certd/certd/commit/0584b3672b40f9042a2ed87e5627022606d046cd))
+* 调整全部静态资源到static目录 ([a218890](https://github.com/certd/certd/commit/a21889080d6c7ffdf0af526a3a21f0b2d1c77288))
+* 检查cname是否正确配置 ([b5d8935](https://github.com/certd/certd/commit/b5d8935159374fbe7fc7d4c48ae0ed9396861bdd))
+* 七牛云cdn支持配置多个域名 ([88d745e](https://github.com/certd/certd/commit/88d745e29063a089864fb9c6705be7b8d4c2669a))
+* 上传到主机插件支持注入环境变量 ([81fac73](https://github.com/certd/certd/commit/81fac736f9ccc8d1cda7ef4178752239cec20849))
+* 优化宝塔网站部署插件远程获取数据的提示 ([2a3ca9f](https://github.com/certd/certd/commit/2a3ca9f552d96594ec6690a1c4c91f598451b9a1))
+* 优化缩短首页缓存时间 ([49395e8](https://github.com/certd/certd/commit/49395e8cb65f4b30c0145329ed5de48be4ef3842))
+* 域名输入增加校验提示，避免输入错误的域名 ([0c8e83e](https://github.com/certd/certd/commit/0c8e83e1254a9ce4d5a4e7888eb1710394a4b77c))
+* cname校验配置增加未校验通过提示 ([77cc3c4](https://github.com/certd/certd/commit/77cc3c4a5cbd81f8233a8e0bb33fab0621c0905f))
+* google eab授权支持自动获取，不过要配置代理 ([592791d](https://github.com/certd/certd/commit/592791d1356fc252fbb70d7f168567aee9585507))
+
+## [1.25.9](https://github.com/certd/certd/compare/v1.25.8...v1.25.9) (2024-10-01)
+
+### Bug Fixes
+
+* 修复西部数码账户级别apikey不可用的bug ([f8f3e8b](https://github.com/certd/certd/commit/f8f3e8b43fd5d815887bcb53b95f46dc96424b79))
+
+### Performance Improvements
+
+* 增加等待插件 ([3ef0541](https://github.com/certd/certd/commit/3ef0541cc85ab6abf698ead3b258ae1ac156ef98))
+
+## [1.25.8](https://github.com/certd/certd/compare/v1.25.7...v1.25.8) (2024-09-30)
+
+### Bug Fixes
+
+* 修复pfxPassword无效的bug ([251e450](https://github.com/certd/certd/commit/251e450fabfe62405bac13e39f2153736c081ef0))
+
+### Performance Improvements
+
+* 群晖获取deviceid优化 ([8d42273](https://github.com/certd/certd/commit/8d4227366548eb70f6bc04303829e6933168f906))
+
+## [1.25.7](https://github.com/certd/certd/compare/v1.25.6...v1.25.7) (2024-09-29)
+
+### Bug Fixes
+
+* 修复某些地区被屏蔽无法激活专业版的bug ([7532a96](https://github.com/certd/certd/commit/7532a960851b84d4f2cc3dba02353c5235e1a364))
+
+### Performance Improvements
+
+* 上传到主机，支持socks代理 ([d91026d](https://github.com/certd/certd/commit/d91026dc4fbfe5fedc4ee8e43dc0d08f1cf88356))
+* 支持上传到七牛云oss ([bf024bd](https://github.com/certd/certd/commit/bf024bdda8bc2a463475be5761acf0da7317a08a))
+
+## [1.25.6](https://github.com/certd/certd/compare/v1.25.5...v1.25.6) (2024-09-29)
+
+### Bug Fixes
+
+* 修复中间证书复制错误的bug ([76e86ea](https://github.com/certd/certd/commit/76e86ea283ecbe4ec76cdc92b98457d0fef544ac))
+
+### Performance Improvements
+
+* 部署支持1Panel ([d047234](https://github.com/certd/certd/commit/d047234d98d31504f2e5a472b66e1b75806af26e))
+* 增加使用教程 ([9d9c021](https://github.com/certd/certd/commit/9d9c0218195af5b9896cce7109b26a433480571d))
+
+## [1.25.5](https://github.com/certd/certd/compare/v1.25.4...v1.25.5) (2024-09-26)
+
+**Note:** Version bump only for package root
+
+## [1.25.4](https://github.com/certd/certd/compare/v1.25.3...v1.25.4) (2024-09-25)
+
+### Bug Fixes
+
+* 修复启动报授权验证失败的bug ([3460d3d](https://github.com/certd/certd/commit/3460d3ddca222ea702816ab805909d489eff957f))
+
+## [1.25.3](https://github.com/certd/certd/compare/v1.25.2...v1.25.3) (2024-09-24)
+
+### Bug Fixes
+
+* 修复upload to host trim错误 ([0f0ddb9](https://github.com/certd/certd/commit/0f0ddb9c5963fd643d6d203334efac471c43ec3b))
+
+## [1.25.2](https://github.com/certd/certd/compare/v1.25.1...v1.25.2) (2024-09-24)
+
+**Note:** Version bump only for package root
+
+## [1.25.1](https://github.com/certd/certd/compare/v1.25.0...v1.25.1) (2024-09-24)
+
+**Note:** Version bump only for package root
+
+# [1.25.0](https://github.com/certd/certd/compare/v1.24.4...v1.25.0) (2024-09-24)
+
+### Bug Fixes
+
+* 修复首次创建任务运行时不自动设置当前运行情况的bug ([ecd83ee](https://github.com/certd/certd/commit/ecd83ee136abdd3df9ed2f21ec2ff0f24c0ed9d9))
+
+### Features
+
+* 账号绑定 ([e046640](https://github.com/certd/certd/commit/e0466409d0c021bb415abd94df448c8a0d4799e9))
+* 支持中间证书 ([e86756e](https://github.com/certd/certd/commit/e86756e4c65a53dd23106d7ecbfe2fa987cc13f3))
+* 支持vip转移 ([361e8fe](https://github.com/certd/certd/commit/361e8fe7ae5877e23fd5de31bc919bedd09c57f5))
+
+### Performance Improvements
+
+* 群晖支持OTP双重验证登录 ([8b8039f](https://github.com/certd/certd/commit/8b8039f42bbce10a4d0e737cdeeeef9bb17bee5a))
+* 任务支持禁用 ([8ed16b3](https://github.com/certd/certd/commit/8ed16b3ea2dfe847357863a0bfa614e4fa5fc041))
+* 优化收件邮箱输入 ([22ef28f](https://github.com/certd/certd/commit/22ef28f6338a78465bd52ccbad13e66e80263b2f))
+* 优化主机登录失败提示 ([9de77b3](https://github.com/certd/certd/commit/9de77b327d39cff5ed6660ec53b58ba0eea18e5a))
+* 增加重启certd插件 ([48238d9](https://github.com/certd/certd/commit/48238d929e6c4afa1d428e4d35b9159d37a47ae0))
+* 证书支持旧版RSA，pkcs1 ([3d9c3ec](https://github.com/certd/certd/commit/3d9c3ecb3eb604b2458154f608bde0f01915d116))
+* 支持阿里云ACK证书部署 ([d331fea](https://github.com/certd/certd/commit/d331fea47789122650e057ec7c9e85ee8e66f09b))
+* 支持七牛云 ([8ecc2f9](https://github.com/certd/certd/commit/8ecc2f9446a9ebd11b9bfbffbb6cf7812a043495))
+* 支持k8s ingress secret ([e5a5d0a](https://github.com/certd/certd/commit/e5a5d0a607bb6b4e1a1f7a1a419bada5f2dee59f))
+* http请求增加默认超时时间 ([664bd86](https://github.com/certd/certd/commit/664bd863e5b4895aabe2384277c0c65f5902fdb2))
+* plugins增加图标 ([a8da658](https://github.com/certd/certd/commit/a8da658a9723342b4f43a579f7805bfef0648efb))
+
+## [1.24.4](https://github.com/certd/certd/compare/v1.24.3...v1.24.4) (2024-09-09)
+
+### Bug Fixes
+
+* 修复腾讯云cdn证书部署后会自动关闭hsts，http2.0等配置的bug ([7908ab7](https://github.com/certd/certd/commit/7908ab79da624c94fa05849925b15e480e3317c4))
+* 修复腾讯云tke证书部署报错的bug ([653f409](https://github.com/certd/certd/commit/653f409d91a441850d6381f89a8dd390831f0d5e))
+
+### Performance Improvements
+
+* 插件选择支持搜索 ([d1498a7](https://github.com/certd/certd/commit/d1498a71601b74d38343b1d070eadd03705dd9d5))
+* 前置任务步骤增加错误提示 ([ae3daa9](https://github.com/certd/certd/commit/ae3daa9bcf4fc363825aad9b77f5d3879aeeff70))
+* 群晖部署教程 ([0f0af2f](https://github.com/certd/certd/commit/0f0af2f309390f388e7a272cea3a1dd30c01977d))
+* 支持群晖 ([5c270b6](https://github.com/certd/certd/commit/5c270b6b9d45a2152f9fdb3c07bd98b7c803cb8e))
+
+## [1.24.3](https://github.com/certd/certd/compare/v1.24.2...v1.24.3) (2024-09-06)
+
+### Performance Improvements
+
+* 支持多吉云cdn证书部署 ([65ef685](https://github.com/certd/certd/commit/65ef6857296784ca765926e09eafcb6fc8b6ecde))
+
+## [1.24.2](https://github.com/certd/certd/compare/v1.24.1...v1.24.2) (2024-09-06)
+
+### Bug Fixes
+
+* 修复复制流水线出现的各种问题 ([6314e8d](https://github.com/certd/certd/commit/6314e8d7eb58cd52e2a7bd3b5ffb9112b0b69577))
+* 修复windows下无法执行第二条命令的bug ([71ac8aa](https://github.com/certd/certd/commit/71ac8aae4aa694e1a23761e9761c9fba30b43a21))
+
+### Performance Improvements
+
+* 阶段、任务、步骤全面支持拖动排序 ([bd73a16](https://github.com/certd/certd/commit/bd73a163cd0497f062bd424ddc6bc9bbc95f81ea))
+* 任务配置不需要的字段可以自动隐藏 ([192d9dc](https://github.com/certd/certd/commit/192d9dc7e36737d684c769f255f407c28b1152ac))
+* 任务支持拖动排序 ([1e9b563](https://github.com/certd/certd/commit/1e9b5638aa36a8ce70019a9c750230ba41938327))
+* 西部数据支持用户级的apikey ([1c17b41](https://github.com/certd/certd/commit/1c17b41e160944b073e1849e6f9467c3659a4bfc))
+* 修复windows下无法执行第二条命令的bug ([d5bfcdb](https://github.com/certd/certd/commit/d5bfcdb6de1dcc1702155442e2e00237d0bbb6e5))
+* 优化跳过处理逻辑 ([b80210f](https://github.com/certd/certd/commit/b80210f24bf5db1c958d06ab27c9e5d3db452eda))
+* 支持阿里云oss ([87a2673](https://github.com/certd/certd/commit/87a2673e8c33dff6eda1b836d92ecc121564ed78))
+* 支持西部数码DNS ([c59cab1](https://github.com/certd/certd/commit/c59cab1aaeb19f86df8e3e0d8127cbd0a9ef77f3))
+* 支持pfx、der ([fbeaed2](https://github.com/certd/certd/commit/fbeaed203519f59b6d9396c4e8953353ccb5e723))
+* client 请求超时时间延长为10s ([ff46771](https://github.com/certd/certd/commit/ff46771d8dd43e71c1ca70e3ba783945750342cc))
+
+## [1.24.1](https://github.com/certd/certd/compare/v1.24.0...v1.24.1) (2024-09-02)
+
+### Bug Fixes
+
+* 激活仅限管理员 ([1c17970](https://github.com/certd/certd/commit/1c17970b981f0987c506744ee6b2283fd5e40493))
+* 修复在没有勾选使用代理的情况下，仍然会使用代理的bug ([0f66794](https://github.com/certd/certd/commit/0f6679425f6a736bb0128527dd99c085fac17d84))
+
+### Performance Improvements
+
+* 部署插件支持宝塔、易盾云等 ([ee61709](https://github.com/certd/certd/commit/ee617095efa1171548cf52fd45f0f98a368555a3))
+* 授权配置支持加密 ([42a56b5](https://github.com/certd/certd/commit/42a56b581d754c3e5f9838179d19ab0d004ef2eb))
+* 优化内存占用 ([db61033](https://github.com/certd/certd/commit/db6103363364440b650bc10bb334834e4a9470c7))
+* 支持阿里云 DCDN ([98b77f8](https://github.com/certd/certd/commit/98b77f80843834616fb26f83b4c42245326abd06))
+* 支持已跳过的步骤重新运行 ([ea775ad](https://github.com/certd/certd/commit/ea775adae18d57a04470cfba6b9460d761d74035))
+* 支持cdnfly ([724a850](https://github.com/certd/certd/commit/724a85028b4a7146c9e3b4df4497dcf2a7bf7c67))
+* 支持ftp上传 ([b9bddbf](https://github.com/certd/certd/commit/b9bddbfabb5664365f1232e9432532187c98006c))
+
+# [1.24.0](https://github.com/certd/certd/compare/v1.23.1...v1.24.0) (2024-08-25)
+
+### Bug Fixes
+
+* 部署到腾讯云cdn选择证书任务步骤限制只能选证书 ([3345c14](https://github.com/certd/certd/commit/3345c145b802170f75a098a35d0c4b8312efcd17))
+* 修复成功后跳过之后丢失腾讯云证书id的bug ([37eb762](https://github.com/certd/certd/commit/37eb762afe25c5896b75dee25f32809f8426e7b7))
+* 修复创建流水线后立即运行时报no id错误的bug ([17ead54](https://github.com/certd/certd/commit/17ead547aab25333603980304aa3aad3db1f73d5))
+* 修复使用代理的情况下申请证书失败的bug ([95122e2](https://github.com/certd/certd/commit/95122e28609333f4df55c266e5434897954c0fb3))
+* 修复执行日志没有清理的bug ([22a3363](https://github.com/certd/certd/commit/22a336370a88a7df2a23c967043bae153da71ed5))
+* 修复重置密码参数配置后无效的bug ([e358a88](https://github.com/certd/certd/commit/e358a8869696578687306e4cd0dcda53f898fe13))
+* 修复ssh无法连接成功，无法执行命令的bug ([41b9837](https://github.com/certd/certd/commit/41b9837582323fb400ef8525ce65e8b37ad4b36f))
+
+### Features
+
+* 支持ECC类型 ([a7424e0](https://github.com/certd/certd/commit/a7424e02f5c7e02ac1688791040785920ce67473))
+* 支持google证书申请（需要使用代理） ([a593056](https://github.com/certd/certd/commit/a593056e79e99dd6a74f75b5eab621af7248cfbe))
+
+### Performance Improvements
+
+* 更新k8s底层api库 ([746bb9d](https://github.com/certd/certd/commit/746bb9d385e2f397daef4976eca1d4782a2f5ebd))
+* 优化成功后跳过的提示 ([7b451bb](https://github.com/certd/certd/commit/7b451bbf6e6337507f4627b5a845f5bd96ab4f7b))
+* 优化证书申请成功率 ([968c469](https://github.com/certd/certd/commit/968c4690a07f69c08dcb3d3a494da4e319627345))
+* 优化dnspod的token id 说明 ([790bf11](https://github.com/certd/certd/commit/790bf11af06d6264ef74bc1bb919661f0354239a))
+* email proxy ([453f1ba](https://github.com/certd/certd/commit/453f1baa0b9eb0f648aa1b71ccf5a95b202ce13f))
+
+## [1.23.1](https://github.com/certd/certd/compare/v1.23.0...v1.23.1) (2024-08-06)
+
+### Bug Fixes
+
+* 修复模糊查询无效的bug ([9355917](https://github.com/certd/certd/commit/93559174c780173f0daec7cdbd1f72f8d5c504d5))
+
+### Performance Improvements
+
+* 优化插件字段的default value ([24c7be2](https://github.com/certd/certd/commit/24c7be2c9cb39c14f7a97b674127c88033280b02))
+* 优化默认值设置 ([1af19f0](https://github.com/certd/certd/commit/1af19f0ac053fe109782882964533636b5969d6b))
+
+# [1.23.0](https://github.com/certd/certd/compare/v1.22.9...v1.23.0) (2024-08-05)
+
+### Bug Fixes
+
+* 修复环境变量多个下划线不生效的bug ([7ec2218](https://github.com/certd/certd/commit/7ec2218c9fee5bee2bf0aa31f3e3a4301575f247))
+
+### Features
+
+* use node 20 ([e8ed972](https://github.com/certd/certd/commit/e8ed97206bf28e83f942db2ef4ea07fa76fd3567))
+
+## [1.22.9](https://github.com/certd/certd/compare/v1.22.8...v1.22.9) (2024-08-05)
+
+### Performance Improvements
+
+* 优化定时任务 ([87e440e](https://github.com/certd/certd/commit/87e440ee2a8b10dc571ce619f28bc83c1e5eb147))
+
+## [1.22.8](https://github.com/certd/certd/compare/v1.22.7...v1.22.8) (2024-08-05)
+
+### Performance Improvements
+
+* 修复删除历史记录没有删除log的bug，新增history管理页面，演示站点启动时不自动启动非管理员用户的定时任务 ([f78ae93](https://github.com/certd/certd/commit/f78ae93eedfe214008c3d071ca3d77c962137a64))
+* 优化pipeline删除时，删除其他history ([b425203](https://github.com/certd/certd/commit/b4252033d56a9ad950f3e204ff021497c3978015))
+
+## [1.22.7](https://github.com/certd/certd/compare/v1.22.6...v1.22.7) (2024-08-04)
+
+### Bug Fixes
+
+* 修复保存配置报id不能为空的bug ([367f807](https://github.com/certd/certd/commit/367f80731396003416665c22853dfbc09c2c03a0))
+
+## [1.22.6](https://github.com/certd/certd/compare/v1.22.5...v1.22.6) (2024-08-03)
+
+### Bug Fixes
+
+* 修复在相同的cron时偶尔无法触发定时任务的bug ([680941a](https://github.com/certd/certd/commit/680941af119619006b592e3ab6fb112cb5556a8b))
+* 修复pg下pipeline title 类型问题 ([a9717b9](https://github.com/certd/certd/commit/a9717b9a0df7b5a64d4fe03314fecad4f59774cc))
+
+### Performance Improvements
+
+* 流水线支持名称模糊查询 ([59897c4](https://github.com/certd/certd/commit/59897c4ceae992ebe2972ca9e8f9196616ffdfd7))
+* 腾讯云clb支持更多大区选择 ([e4f4570](https://github.com/certd/certd/commit/e4f4570b29f26c60f1ee9660a4c507cbeaba3d7e))
+* 优化前置任务输出为空的提示 ([6ed1e18](https://github.com/certd/certd/commit/6ed1e18c7d9c46d964ecc6abc90f3908297b7632))
+
+## [1.22.5](https://github.com/certd/certd/compare/v1.22.4...v1.22.5) (2024-07-26)
+
+### Bug Fixes
+
+* 修复用户管理无法添加用户的bug ([e7e89b8](https://github.com/certd/certd/commit/e7e89b8de7386e84c0d6b8e217e2034909657d68))
+
+## [1.22.4](https://github.com/certd/certd/compare/v1.22.3...v1.22.4) (2024-07-26)
+
+### Performance Improvements
+
+* 证书申请支持反向代理，letsencrypt无法访问时的备用方案 ([b7b5df0](https://github.com/certd/certd/commit/b7b5df0587e0f7ea288c1b2af6f87211f207395f))
+* 支持arm64 ([fa14f87](https://github.com/certd/certd/commit/fa14f87a8093ef3addc5e5f3315ce1bfc9982782))
+
+## [1.22.3](https://github.com/certd/certd/compare/v1.22.2...v1.22.3) (2024-07-25)
+
+### Bug Fixes
+
+* lege 无执行权限问题 ([338eb3b](https://github.com/certd/certd/commit/338eb3bdfeb461e9b3bc7eee97b97a59f5642ffe))
+
+## [1.22.2](https://github.com/certd/certd/compare/v1.22.1...v1.22.2) (2024-07-23)
+
+### Bug Fixes
+
+* 修复创建流水线时，无法根据dns类型默认正确的dns授权的bug ([a2c43b5](https://github.com/certd/certd/commit/a2c43b50a6069ed48958fd142844a8568c2af452))
+
+## [1.22.1](https://github.com/certd/certd/compare/v1.22.0...v1.22.1) (2024-07-20)
+
+### Performance Improvements
+
+* 创建证书任务可以选择lege插件 ([affef13](https://github.com/certd/certd/commit/affef130378030c517250c58a4e787b0fc85d7d1))
+* 创建证书任务增加定时任务和邮件通知输入 ([427620d](https://github.com/certd/certd/commit/427620d34f3b8ad6933005faf1878908441a2453))
+* 支持配置启动后自动触发一次任务 ([a5a0c1f](https://github.com/certd/certd/commit/a5a0c1f6e7a3f05e581005e491d5b102ee854412))
+
+# [1.22.0](https://github.com/certd/certd/compare/v1.21.2...v1.22.0) (2024-07-19)
+
+### Features
+
+* 升级midway，支持esm ([485e603](https://github.com/certd/certd/commit/485e603b5165c28bc08694997726eaf2a585ebe7))
+* 支持lego，海量DNS提供商 ([0bc6d0a](https://github.com/certd/certd/commit/0bc6d0a211920fb0084d705e1db67ee1e7262c44))
+* 支持postgresql ([3b19bfb](https://github.com/certd/certd/commit/3b19bfb4291e89064b3b407a80dae092d54747d5))
+
+### Performance Improvements
+
+* 优化一些小细节 ([b168852](https://github.com/certd/certd/commit/b1688525dbbbfd67e0ab1cf5b4ddfbe9d394f370))
+* 增加备案号设置 ([bd3d959](https://github.com/certd/certd/commit/bd3d959944db63a5690b55ee150e1007133868b9))
+* 自动生成jwtkey，无需手动配置 ([390e485](https://github.com/certd/certd/commit/390e4853a570390a97df6a3b3882579f9547eeb4))
+
+## [1.21.2](https://github.com/certd/certd/compare/v1.21.1...v1.21.2) (2024-07-08)
+
+### Performance Improvements
+
+* 申请证书时可以选择跳过本地dns校验 ([fe91d94](https://github.com/certd/certd/commit/fe91d94090d22ed0a3ea753ba74dfaa1bf057c17))
+
+## [1.21.1](https://github.com/certd/certd/compare/v1.21.0...v1.21.1) (2024-07-08)
+
+### Performance Improvements
+
+* 上传到主机，支持设置不mkdirs ([5ba9831](https://github.com/certd/certd/commit/5ba9831ed1aa6ec6057df246f1035b36b9c41d2e))
+* 说明优化，默认值优化 ([970c7fd](https://github.com/certd/certd/commit/970c7fd8a0f557770e973d8462ee5684ef742810))
+
+# [1.21.0](https://github.com/certd/certd/compare/v1.20.17...v1.21.0) (2024-07-03)
+
+### Features
+
+* 支持zero ssl ([eade2c2](https://github.com/certd/certd/commit/eade2c2b681569f03e9cd466e7d5bcd6703ed492))
+
+## [1.20.17](https://github.com/certd/certd/compare/v1.20.16...v1.20.17) (2024-07-03)
+
+### Performance Improvements
+
+* 创建dns解析后，强制等待60s ([f47b35f](https://github.com/certd/certd/commit/f47b35f6d5bd7d675005c3e286b7e9a029201f8b))
+* 文件上传提示由cert.crt改为cert.pem ([a09b0e4](https://github.com/certd/certd/commit/a09b0e48c176f3ed763791bd50322c29729f7c1c))
+* 优化cname verify ([eba333d](https://github.com/certd/certd/commit/eba333de7a5b5ef4b0b7eaa904f578720102fa61))
+
+## [1.20.16](https://github.com/certd/certd/compare/v1.20.15...v1.20.16) (2024-07-01)
+
+### Bug Fixes
+
+* 修复配置了cdn cname后申请失败的bug ([4a5fa76](https://github.com/certd/certd/commit/4a5fa767edc347d03d29a467e86c9a4d70b0220c))
+
+## [1.20.15](https://github.com/certd/certd/compare/v1.20.14...v1.20.15) (2024-06-28)
+
+### Bug Fixes
+
+* 修复无法强制取消任务的bug ([9cc01db](https://github.com/certd/certd/commit/9cc01db1d569a5c45bb3e731f35d85df324a8e62))
+
+### Performance Improvements
+
+* 腾讯云dns provider 支持腾讯云的accessId ([e0eb3a4](https://github.com/certd/certd/commit/e0eb3a441384d474fe2923c69b25318264bdc9df))
+* 支持windows文件上传 ([7f61cab](https://github.com/certd/certd/commit/7f61cab101fa13b4e88234e9ad47434e6130fed2))
+
+## [1.20.14](https://github.com/certd/certd/compare/v1.20.13...v1.20.14) (2024-06-23)
+
+### Bug Fixes
+
+* 修复修改密码功能异常问题 ([f740ff5](https://github.com/certd/certd/commit/f740ff517f521dce361284c2c54bccc68aee0ea2))
+
+## [1.20.13](https://github.com/certd/certd/compare/v1.20.12...v1.20.13) (2024-06-18)
+
+### Bug Fixes
+
+* 日志高度越界 ([c4c9adb](https://github.com/certd/certd/commit/c4c9adb8bfd513f57252e523794e3799a9b220f8))
+* 修复邮箱设置页面SMTP拼写错误的问题 ([b98f1c0](https://github.com/certd/certd/commit/b98f1c0dd0bc6c6b4f814c578692afdf6d90b88d))
+* 修复logo问题 ([7e483e6](https://github.com/certd/certd/commit/7e483e60913d509b113148c735fe13ba1d72dddf))
+
+### Performance Improvements
+
+* 增加警告，修复一些样式错乱问题 ([fd54c2f](https://github.com/certd/certd/commit/fd54c2ffac492222e85ff2f5f49a9ee5cfc73588))
+* ssh登录支持openssh格式私钥、支持私钥密码 ([5c2c508](https://github.com/certd/certd/commit/5c2c50839a9076004f9034d754ac6deb531acdfb))
+
+## [1.20.12](https://github.com/certd/certd/compare/v1.20.10...v1.20.12) (2024-06-17)
+
+### Bug Fixes
+
+* 修复aliyun域名超过100个找不到域名的bug ([5b1494b](https://github.com/certd/certd/commit/5b1494b3ce93d1026dc56ee741342fbb8bf7be24))
+
+### Performance Improvements
+
+* 增加系统设置，可以关闭自助注册功能 ([20feace](https://github.com/certd/certd/commit/20feacea12d43386540db6a600f391d786be4014))
+* 增加cloudflare access token说明 ([934e6e2](https://github.com/certd/certd/commit/934e6e2bd05387cd50ffab95f230933543954098))
+* 支持重置管理员密码，忘记密码的补救方案 ([732cbc5](https://github.com/certd/certd/commit/732cbc5e927b526850724594830392b2f10c6705))
+* 支持cloudflare域名 ([fbb9a47](https://github.com/certd/certd/commit/fbb9a47e8f7bb805289b9ee64bd46ffee0f01c06))
+
+## [1.20.10](https://github.com/certd/certd/compare/v1.20.9...v1.20.10) (2024-05-30)
+
+### Bug Fixes
+
+* 增加权限相关helper说明 ([83e4083](https://github.com/certd/certd/commit/83e40836ebff10bec60efe8933183e1ba1c22bf9))
+* 增加权限相关helper说明 ([4304c94](https://github.com/certd/certd/commit/4304c9443ad9248f63dd6d8c512d8d6f32f90d37))
+
+### Performance Improvements
+
+* 上传到主机插件支持复制到本机路径 ([92446c3](https://github.com/certd/certd/commit/92446c339936f98f08f654b8971a7393d8435224))
+* 优化文件下载包名 ([d9eb927](https://github.com/certd/certd/commit/d9eb927b0a1445feab08b1958aa9ea80637a5ae6))
+* 增加任务复制功能 ([39ad759](https://github.com/certd/certd/commit/39ad7597fa0e19cc1f7631bbd6fea0a9e05a62c9))
+
+## [1.20.9](https://github.com/certd/certd/compare/v1.20.8...v1.20.9) (2024-03-22)
+
+**Note:** Version bump only for package root
+
+## [1.20.8](https://github.com/certd/certd/compare/v1.20.7...v1.20.8) (2024-03-22)
+
+**Note:** Version bump only for package root
+
+## [1.20.7](https://github.com/certd/certd/compare/v1.20.6...v1.20.7) (2024-03-22)
+
+**Note:** Version bump only for package root
+
+## [1.20.6](https://github.com/certd/certd/compare/v1.20.5...v1.20.6) (2024-03-21)
+
+### Bug Fixes
+
+* 调整按钮图标到居中位置 ([836d18f](https://github.com/certd/certd/commit/836d18f07e22d00faf2f213bc3301a6672b5bafc))
+
+### Performance Improvements
+
+* 插件贡献文档及示例 ([72fb20a](https://github.com/certd/certd/commit/72fb20abf3ba5bdd862575d2907703a52fd7eb17))
+
+## [1.20.5](https://github.com/certd/certd/compare/v1.20.2...v1.20.5) (2024-03-11)
+
+### Bug Fixes
+
+* 修复腾讯云cdn部署无法选择端点的bug ([154409b](https://github.com/certd/certd/commit/154409b1dfee3ea1caae740ad9c1f99a6e7a9814))
+
+## [1.20.2](https://github.com/certd/certd/compare/v1.2.1...v1.20.2) (2024-02-28)
+
+### Bug Fixes
+
+* 临时修复阿里云domainlist接口返回域名列表不全的问题，后续还需要增加翻页查询 ([849c145](https://github.com/certd/certd/commit/849c145926984762bd9dbec87bd91cd047fc0855))
+
+## [1.2.1](https://github.com/certd/certd/compare/v1.2.0...v1.2.1) (2023-12-12)
+
+### Bug Fixes
+
+* 修复邮箱设置无效的bug ([aaa3224](https://github.com/certd/certd/commit/aaa322464d0f65e924d1850995540d396ee24d25))
+
+**Note:** Version bump only for package root
+
+# [1.2.0](https://github.com/certd/certd/compare/v1.1.6...v1.2.0) (2023-10-27)
+
+* 🔱: [client] sync upgrade with 2 commits [trident-sync] ([aa3207f](https://github.com/certd/certd/commit/aa3207fca5f15f7c3da789989d99c8ae7d1c4551))
+
+### BREAKING CHANGES
+
+* search支持自定义布局，search.layout、search.collapse转移到 search.container之下。如果想使用原来的search组件，请配置search.is=fs-search-v1
+
+## [1.1.6](https://github.com/certd/certd/compare/v1.1.5...v1.1.6) (2023-07-10)
+
+### Bug Fixes
+
+* 修复上传证书到腾讯云失败的bug ([e950322](https://github.com/certd/certd/commit/e950322232e19d1263b8552eefa5b0150fd7864e))
+
+## [1.1.5](https://github.com/certd/certd/compare/v1.1.4...v1.1.5) (2023-07-03)
+
+**Note:** Version bump only for package root
+
+## [1.1.4](https://github.com/certd/certd/compare/v1.1.3...v1.1.4) (2023-07-03)
+
+### Bug Fixes
+
+* 成功图标转动的问题 ([f87eee3](https://github.com/certd/certd/commit/f87eee3b9ff1ef9874e79a81fe0ed7104cb9ee8c))
+
+### Performance Improvements
+
+* cancel task ([bc65c0a](https://github.com/certd/certd/commit/bc65c0a786360c087fe95cad93ec6a87804cc5ee))
+* flush log ([891a43a](https://github.com/certd/certd/commit/891a43ae6716ff98ed06643f7da2e35199ee195c))
+* flush logger ([91be682](https://github.com/certd/certd/commit/91be6826b902e0f302b1a6cbdb1d24e15914c18d))
+* timeout ([3eeb1f7](https://github.com/certd/certd/commit/3eeb1f77aa2922f3545f3d2067f561d95621d54f))
+
+## [1.1.3](https://github.com/certd/certd/compare/v1.1.2...v1.1.3) (2023-07-03)
+
+**Note:** Version bump only for package root
+
 ## [1.1.2](https://github.com/certd/certd/compare/v1.1.1...v1.1.2) (2023-07-03)
 
 **Note:** Version bump only for package root

LICENSE.md

@@ -0,0 +1,32 @@
+
+                    Certd Open Source License
+                  
+
+- This project is licensed under the **GNU Affero General Public License (AGPL)** with the following additional terms.  
+- 本项目遵循 GNU Affero General Public License（AGPL），并附加以下条款。
+
+## 1. License Terms ( 许可证条款 )
+
+1. **Freedom to Use** (自由使用)
+   - You are free to use, copy, modify, and distribute the source code of this project for personal or organizational use, provided that you comply with the terms of this license.
+   - 您可以自由使用、复制、修改和分发本项目的源代码，前提是您遵循本许可证的条款。
+
+2. **Modification for Personal Use** (个人使用的修改)
+   - Individuals and companies are allowed to modify the project according to their needs for non-commercial purposes. However, modifications to the logo, copyright information, or any code related to licensing are strictly prohibited.
+   - 个人和公司允许根据自身需求对本项目进行修改以供非商业用途。但任何对logo、版权信息或与许可相关代码的修改都是严格禁止的。
+
+3. **Commercial Authorization** (商业授权)
+   - If you wish to make any form of monetary gain from this project, you must first obtain commercial authorization from the original author. Users should contact the author directly to negotiate the relevant licensing terms.
+   - 如果您希望从本项目获得任何形式的经济收益，您必须首先从原作者处获得商业授权，用户应直接与作者联系，以协商相关许可条款。
+ 
+4. **Retention of Rights** (保留权利)
+   - All rights, title, and interest in the project remain with the original author.
+   - 本项目的所有权利、标题和利益仍归原作者所有。
+
+## 2. As a contributor ( 作为贡献者 )
+   - you should agree that your contributed code:
+   - 您应同意您贡献的代码：
+     1. - The original author can adjust the open-source agreement to be more strict or relaxed.
+        - 原作者可以调整开源协议以使其更严格或更宽松。
+     2. - Can be used for commercial purposes.
+        - 可用于商业用途。

README.md

@@ -1,140 +1,257 @@
-# CertD
+# Certd
 
-CertD 是一个帮助你全自动申请和部署SSL证书的工具。       
-后缀D取自linux守护进程的命名风格，意为证书守护进程。    
+Certd 是一个免费全自动申请和自动部署更新SSL证书的工具。       
+后缀d取自linux守护进程的命名风格，意为证书守护进程。    
 
-## 特性
-本项目不仅支持证书申请过程自动化，还可以自动化部署证书，让你的证书永不过期。     
+关键字：证书自动申请、证书自动更新、证书自动续期、证书自动续签
 
-* 全自动申请证书（支持阿里云、腾讯云、华为云注册的域名）
-* 全自动部署证书（目前支持服务器上传部署、阿里云、腾讯云等）
-* 支持通配符域名
-* 支持多个域名打到一个证书上
 
-## 免费证书申请说明
+## 一、特性
+本项目不仅支持证书申请过程自动化，还可以自动化部署更新证书，让你的证书永不过期。     
+
+* 全自动申请证书（支持阿里云、腾讯云、华为云、Cloudflare等各种途径注册的域名）
+* 全自动部署更新证书（目前支持部署到主机、部署到阿里云、腾讯云等）
+* 支持通配符域名/泛域名，支持多个域名打到一个证书上
+* 邮件通知
+* 私有化部署，保障安全
+* 免费、免费、免费（[阿里云单个通配符域名证书最便宜也要1800/年](https://yundun.console.aliyun.com/?p=cas#/certExtend/buy/cn-hangzhou)）
+
+
+## 二、在线体验
+
+官方Demo地址，自助注册后体验    
+
+https://certd.handsfree.work/
+
+> 注意数据将不定期清理，不定期停止定时任务，生产使用请自行部署    
+> 包含敏感信息，务必自己本地部署进行生产使用
+
+## 三、使用教程
+本案例演示，如何配置自动申请证书，并部署到阿里云CDN，然后快要到期前自动更新证书并重新部署     
+
+![演示](packages/ui/certd-client/public/statics/doc/images/5-view.png)
+![演示](packages/ui/certd-client/public/statics/doc/images/9-start.png)
+![演示](packages/ui/certd-client/public/statics/doc/images/10-1-log.png)
+![演示](packages/ui/certd-client/public/statics/doc/images/13-3-download.png)
+![演示](packages/ui/certd-client/public/statics/doc/images/13-1-result.png)
+
+↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓      
+-------> [点我查看详细使用步骤演示](./step.md)   <--------      
+↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑     
+
+当前支持的部署插件列表
+![演示](./doc/images/plugins.png)
+
+## 四、私有化部署
+
+由于证书、授权信息等属于高度敏感数据，请务必私有化部署，保障数据安全
+
+### 4.1 宝塔面板一键部署
+
+1. 安装宝塔面板，前往 [宝塔面板](https://www.bt.cn/u/CL3JHS) 官网，选择9.2.0以上正式版的脚本下载安装
+
+2. 安装后登录宝塔面板，在菜单栏中点击 Docker，首次进入会提示安装Docker服务，点击立即安装，按提示完成安装
+
+3. 安装完成后在应用商店中找到`certd`（要先点右上角更新应用），点击安装，配置域名等基本信息即可完成安装
+
+### 4.2 宝塔面板容器编排部署
+
+[宝塔面板容器编排部署教程](./doc/deploy/baota/baota.md)
+
+### 4.3 Docker部署
+#### 1. 安装docker、docker-compose
+
+1.1 准备一台云服务器
+* 【阿里云】云服务器2核2G，新老用户同享，99元/年，续费同价！【 [立即购买](https://www.aliyun.com/benefit?scm=20140722.M_10244282._.V_1&source=5176.11533457&userCode=qya11txb )】
+* 【腾讯云】云服务器2核2G，新老用户同享，99元/年，续费同价！【 [立即购买](https://cloud.tencent.com/act/cps/redirect?redirect=6094&cps_key=b3ef73330335d7a6efa4a4bbeeb6b2c9&from=console)】
+
+1.2 安装docker      
+
+https://docs.docker.com/engine/install/   
+选择对应的操作系统，按照官方文档执行命令即可   
+
+#### 2. 运行certd
+
+[docker-compose.yaml 下载](https://gitee.com/certd/certd/raw/v2/docker/run/docker-compose.yaml)
+
+当前版本号： ![](https://img.shields.io/npm/v/%40certd%2Fpipeline)
+
+```bash
+# 随便创建一个目录
+mkdir certd
+# 进入目录
+cd certd
+# 下载docker-compose.yaml文件，或者手动下载放到certd目录下
+wget https://gitee.com/certd/certd/raw/v2/docker/run/docker-compose.yaml
+
+# 可以根据需要修改里面的配置
+# 1.修改镜像版本号【可选】
+# 2.配置数据保存路径【可选】
+# 3.修改端口号【可选】
+vi docker-compose.yaml # 【可选】
+
+# 启动certd
+docker compose up -d
+
+```
+> 如果提示 没有compose命令,请安装docker-compose   
+> https://docs.docker.com/compose/install/linux/
+
+#### 3. 镜像说明：
+* 国内镜像地址:
+  * `registry.cn-shenzhen.aliyuncs.com/handsfree/certd:latest`
+  * `registry.cn-shenzhen.aliyuncs.com/handsfree/certd:armv7`、`[version]-armv7`
+* DockerHub地址：
+  * `https://hub.docker.com/r/greper/certd`
+  * `greper/certd:latest`
+  * `greper/certd:armv7`、`greper/certd:[version]-armv7`
+
+* 镜像构建通过`Actions`自动执行，过程公开透明，请放心使用
+  * [点我查看镜像构建日志](https://github.com/certd/certd/actions/workflows/build-image.yml) 
+
+![](./doc/images/action-build.jpg)
+
+#### 4. 访问测试
+
+http://your_server_ip:7001    
+默认账号密码：admin/123456    
+记得修改密码   
+
+### 4.4 源码部署
+```shell
+# 克隆代码
+git clone https://github.com/certd/certd
+cd certd
+# 启动服务
+./start.sh  
+```
+如果是windows，请先安装`git for windows` ，然后右键，选择`open git bash here`打开终端，再执行`./start.sh`命令
+
+
+## 五、 升级
+如果使用固定版本号
+1. 修改`docker-compose.yaml`中的镜像版本号
+2. 运行`docker compose up -d` 即可
+
+如果使用`latest`版本
+```shell
+#重新拉取镜像
+docker pull registry.cn-shenzhen.aliyuncs.com/handsfree/certd:latest
+# 重新启动容器
+docker compose down
+docker compose up -d
+```
+
+> 数据默认存在`/data/certd`目录下，不用担心数据丢失   
+
+
+更新日志： [CHANGELOG](./CHANGELOG.md)
+
+
+## 六、一些说明
 * 本项目ssl证书提供商为letencrypt
 * 申请过程遵循acme协议
-* 需要验证域名所有权，一般有两种方式（目前本项目仅支持dns-01）      
-  * http-01： 在网站根目录下放置一份txt文件     
-  * dns-01： 需要给域名添加txt解析记录，泛域名只能用这种方式   
+* 需要验证域名所有权，一般有两种方式（目前本项目仅支持dns-01）
+  * http-01： 在网站根目录下放置一份txt文件
+  * dns-01： 需要给域名添加txt解析记录，通配符域名只能用这种方式
 * 证书续期：
-  * 实际上acme并没有续期概念。
-  * 我们所说的续期，其实就是按照全套流程重新申请一份新证书。
+  * 实际上没有办法不改变证书文件本身情况下直接续期或者续签。
+  * 我们所说的续期，其实就是按照全套流程重新申请一份新证书，然后重新部署上去。
 * 免费证书过期时间90天，以后可能还会缩短，所以自动化部署必不可少
+* 设置每天自动运行，当证书过期前20天，会自动重新申请证书并部署
 
 
+## 七、不同平台的设置说明
 
-## 快速开始
-本案例演示，如何配置自动申请证书，并部署到阿里云CDN，然后快要到期前自动更新证书并重新部署    
+* [Cloudflare](./doc/cf/cf.md)
+* [腾讯云](./doc/tencent/tencent.md)
+* [windows主机](./doc/host/host.md)
+* [google证书](./doc/google/google.md)
+* [群晖部署certd及证书更新教程](./doc/synology/index.md)
 
 
-1. 环境准备   
-安装[nodejs](https://nodejs.org/zh-cn/)
-
-
-2. 生成node项目
-
-  通过ui生成： https://certd.docmirror.cn/
-  
-开始生成证书，先填写域名，支持将多个域名打到一个证书上
-![](./doc/step1.png)
-
-配置证书详细信息
-![](./doc/step2.png)
-
-配置证书部署流程
-![](./doc/step3.png)
-
-配置好之后，点击导出按钮，导出一个node项目包
-
-4. 运行    
-将导出的压缩包解压，然后执行如下命令，即可开始申请证书并部署
+## 八、问题处理
+### 7.1 忘记管理员密码   
+解决方法如下：
+1. 修改docker-compose.yaml文件，将环境变量`certd_system_resetAdminPasswd`改为`true`
+```yaml
+services:
+  certd:
+    environment: # 环境变量
+      - certd_system_resetAdminPasswd=false
 ```
-npm install
-npm run certd
+2. 重启容器
+```shell
+docker compose up -d
+docker logs -f --tail 500 certd
+# 观察日志，当日志中输出“重置1号管理员用户的密码完成”，即可操作下一步
 ```
-5. 执行效果
-生成的证书默认会存储在 `${home}/.certd/${email}/certs/${domain}/current`目录下 
+3. 修改docker-compose.yaml，将`certd_system_resetAdminPasswd`改回`false`
+4. 再次重启容器
+```shell
+docker compose up -d
 ```
-[2021-01-08T16:15:04.681] [INFO] certd - 任务完成
-[2021-01-08T16:15:04.681] [INFO] certd - ---------------------------任务结果总览--------------------------
-[2021-01-08T16:15:04.682] [INFO] certd - 【更新证书】---------------------------------------	[success] 
-  证书申请成功
-[2021-01-08T16:15:04.682] [INFO] certd - 【流程1-部署到阿里云CDN】----------------------------	[success]  	执行成功
-[2021-01-08T16:15:04.682] [INFO] certd -    └【上传到阿里云】--------------------------------	[success]  	执行成功
-[2021-01-08T16:15:04.682] [INFO] certd -    └【部署证书到CDN】-------------------------------	[success]  	执行成功
-```
-6. 证书续期    
-实际上没有证书续期的概念，只有重新生成一份新的证书，然后重新部署证书    
-所以每天定时运行即可，当证书过期日前20天时，会重新申请新的证书，然后执行部署任务。     
+5. 使用`admin/123456`登录系统，请及时修改管理员密码
 
-7. 其他说明    
-证书的部署任务执行后会记录执行结果，已经成功过的不会重复执行     
-所以当你临时需要将证书部署到其他地方时，直接追加部署任务，然后再次运行即可
-
-## CI/DI集成与自动续期重新部署
-集成前，将以上导出的node项目提交到内网git仓库，或者私有git仓库（由于包含敏感信息，不要提交到公开git仓库）
-
-### jenkins任务
-1. 创建任务     
-选择构建自由风格的任务     
-
-2. 配置git    
-配置cert-run的git地址     
-
-3. 构建触发器    
-配置 `H 3 * * *` ，每天凌晨3点-4点执行一次
-
-4. 构建环境    
-勾选 `Provide Node & npm bin/ folder to PATH`，提供nodejs运行环境     
-如果没有此选项，需要jenkins安装`nodejs`插件
-
-5. 构建    
-执行shell
-```
-npm install --production   #执行过一次之后，就可以注释掉，加快执行速度
-npm run post
-```
-6. 构建后操作     
-邮件通知   
-配置你的邮箱地址，可以在执行失败时收到邮件通知。
+## 九、联系作者
+如有疑问，欢迎加入群聊（请备注certd）
+* QQ群：141236433
+* 微信群：   
+  ![](https://ai.handsfree.work/images/exchange_wxqroup.png)
 
 
-## API
-先列个提纲，待完善
+加作者好友
+<p align="center">
+<img height="230" src="./doc/images/me.png">
+</p>
 
-参数示例参考：https://gitee.com/certd/certd/blob/master/test/options.js
+## 十、捐赠
+************************
+支持开源，为爱发电，我已入驻爱发电   
+https://afdian.com/a/greper
 
-### 授权提供者
-用于dns验证接口调用
-#### aliyun
-
-#### dnspod
-
-### deploy插件
-部署任务插件
-#### 阿里云
-##### 上传到阿里云
-type = uploadCertToAliyun
-##### 部署到阿里云DNS
-type = deployCertToAliyunCDN
-
-##### 部署到阿里云CLB
-type = deployCertToAliyunCLB
-
-#### 腾讯云
-##### 上传到腾讯云
-type = uploadCertToTencent
-
-##### 部署到腾讯云DNS
-type = deployCertToTencentDNS
-
-##### 部署到腾讯云CLB
-type = deployCertToTencentCLB
-
-##### 部署到腾讯云TKE-ingress
-type = deployCertToTencentTKEIngress
+发电权益：
+1. 可加入发电专属群，可以获得作者一对一技术支持
+2. 您的需求我们将优先实现，并且将作为专业版功能提供
+3. 一年期专业版激活码
+4. 赠送国外免费服务器部署方案（0成本使用Certd，可能需要翻墙，不过现在性能越来越差了）
+
+
+专业版特权对比
+
+| 功能      | 免费版                    | 专业版                   |
+|---------|------------------------|-----------------------|
+| 免费证书申请  | 免费无限制                  | 免费无限制                 |
+| 自动部署插件  | 阿里云CDN、腾讯云、七牛CDN、主机部署等 | 支持群晖、宝塔、1Panel等，持续开发中 |
+| 发邮件功能   | 需要配置                   | 免配置                   |
+| 证书流水线条数 | 10条                    | 无限制                   |
+
+************************
+
+## 十一、贡献代码
+
+1. 本地开发 [贡献插件教程](./doc/dev/development.md)
+2. 作为贡献者，代表您同意您贡献的代码如下许可：
+   1. 可以调整开源协议以使其更严格或更宽松。
+   2. 可以用于商业用途。
+
+
+
+## 十二、 开源许可
+* 本项目遵循 GNU Affero General Public License（AGPL）开源协议。   
+* 允许个人和公司使用、复制、修改和分发本项目，禁止任何形式的商业用途 
+* 未获得商业授权情况下，禁止任何对logo、版权信息及授权许可相关代码的修改。
+* 如需商业授权，请联系作者。
+
+## 十三、我的其他项目（求Star）
+* [袖手GPT](https://ai.handsfree.work/) ChatGPT，国内可用，无需FQ，每日免费额度
+* [fast-crud](https://gitee.com/fast-crud/fast-crud/) 基于vue3的crud快速开发框架
+* [dev-sidecar](https://github.com/docmirror/dev-sidecar/) 直连访问github工具，无需FQ，解决github无法访问的问题
+
+
+
+## 十四、更新日志
+
+更新日志：[CHANGELOG](./CHANGELOG.md)
 
 
-### 更多部署插件
-等你来提需求

build.trigger

@@ -0,0 +1 @@
+02:06

deploy.js

@@ -1,10 +1,10 @@
 import http from 'axios'
 import fs from 'fs'
-
 //读取 packages/core/pipline/package.json的版本号
-import { default as packageJson } from './packages/core/pipeline/package.json' assert { type: "json" };
+import {default as packageJson} from './packages/core/pipeline/package.json' assert { type: "json" };
+
 const certdVersion = packageJson.version
-console.log("certdVersion",certdVersion)
+console.log("certdVersion", certdVersion)
 
 // 同步npmmirror的包
 async function getPackages(directoryPath) {
@@ -29,18 +29,19 @@ async function getPackages(directoryPath) {
 
 }
 
-async function getAllPackages(){
+async function getAllPackages() {
     const base = await getPackages("./packages/core")
-    const plugins =await getPackages("./packages/plugins")
+    const plugins = await getPackages("./packages/plugins")
+    const libs = await getPackages("./packages/libs")
 
-    return base.concat(plugins)
+    return base.concat(plugins).concat(libs)
 }
 
-async function sync(){
+async function sync() {
     const packages = await getAllPackages()
-    for(const pkg of packages){
+    for (const pkg of packages) {
         await http({
-            url: `https://registry-direct.npmmirror.com/@certd/${pkg}/sync?sync_upstream=true`,
+            url: `http://registry-direct.npmmirror.com/@certd/${pkg}/sync?sync_upstream=true`,
             method: 'PUT',
             headers: {
                 "Content-Type": "application/json"
@@ -48,15 +49,15 @@ async function sync(){
             data: {}
         })
         console.log(`sync success:${pkg}`)
-        await sleep(1000)
+        await sleep(30*1000)
     }
-    await sleep(60000)
 }
 
 // curl -X PUT https://registry-direct.npmmirror.com/@certd/plugin-cert/sync?sync_upstream=true
 
 const certdImageBuild = "http://flow-openapi.aliyun.com/pipeline/webhook/4zgFk3i4RZEMGuQzlOcI"
-const webhooks = [certdImageBuild]
+const certdImageRun = "http://flow-openapi.aliyun.com/pipeline/webhook/lzCzlGrLCOHQaTMMt0mG"
+const webhooks = [certdImageBuild,certdImageRun]
 
 async function sleep(time) {
     return new Promise(resolve => {
@@ -65,6 +66,7 @@ async function sleep(time) {
 }
 
 async function triggerBuild() {
+    await sleep(60000)
     for (const webhook of webhooks) {
         await http({
             url: webhook,
@@ -77,7 +79,7 @@ async function triggerBuild() {
             }
         })
         console.log(`webhook success:${webhook}`)
-        await sleep(1000)
+        await sleep(30*60*1000)
     }
 
 }
@@ -85,8 +87,9 @@ async function triggerBuild() {
 async function start() {
     // await build()
     console.log("等待60秒")
-    await sleep(60 * 1000)
+    await sleep(100* 1000)
     await sync()
+    await sleep(100 * 1000)
     await triggerBuild()
 }
 

deploy.trigger

@@ -0,0 +1 @@
+5

doc/cf/cf.md

@@ -0,0 +1,15 @@
+# Cloudflare 
+
+
+## CF Token申请
+
+### 申请地址：
+https://dash.cloudflare.com/profile/api-tokens
+
+### 权限设置：
+需要设置权限和资源范围  
+权限包括：Zone.Zone.edit, Zone.DNS.edit  
+资源范围：要包含对应域名，推荐直接设置为All Zones  
+最终效果如下，可以切换语言为英文对比如下图检查
+
+![](./cf_token.png)

doc/deploy/baota/baota.md

@@ -0,0 +1,32 @@
+# 宝塔部署教程
+
+## 编排模版部署
+
+### 创建docker模版
+打开docker-compose.yaml，
+https://gitee.com/certd/certd/raw/v2/docker/run/docker-compose.yaml
+
+整个内容复制下来
+
+然后到宝塔里面进到docker的编排模版，新建模版
+![](./images/1.png)
+
+### 启动应用
+
+![img.png](./images/2.png)
+
+等待启动完成
+
+### 打开应用
+
+http://ip:7001
+
+
+## 二、一键应用部署
+需要宝塔9.2.0版本
+
+### 应用商店
+进入应用商店，更新应用列表
+
+### 搜索certd
+点击安装

doc/dev/development.md

@@ -0,0 +1,92 @@
+# 本地开发
+欢迎贡献插件
+
+## 1.本地调试运行
+
+### 克隆代码
+```shell
+
+# 克隆代码
+git clone https://github.com/certd/certd
+
+#进入项目目录
+cd certd
+```
+
+### 修改pnpm-workspace.yaml文件     
+重要：否则无法正确加载专业版的access和plugin
+```yaml
+# pnpm-workspace.yaml
+packages:
+   - 'packages/**'  # <--------------注释掉这一行，PR时不要提交此修改
+   - 'packages/ui/**'
+```
+
+### 安装依赖和初始化:
+```shell
+# 安装pnpm，如果提示npm命令不存在，就需要先安装nodejs
+npm install -g pnpm@8.15.7 --registry=https://registry.npmmirror.com
+
+# 使用国内镜像源，如果有代理，就不需要
+pnpm config set registry https://registry.npmmirror.com
+# 安装依赖
+pnpm install
+
+# 初始化构建
+npm run init
+```
+
+### 启动 server:    
+```shell
+cd packages/ui/certd-server
+npm run dev
+```
+
+### 启动 client:    
+```shell
+cd packages/ui/certd-client
+npm run dev
+
+# 会自动打开浏览器，确认正常运行
+
+```
+
+## 开发插件
+进入 `packages/ui/certd-server/src/plugins`
+
+### 1.复制`plugin-demo`目录作为你的插件目录
+比如你想做`cloudflare`的插件，那么你可以复制`plugin-demo`目录，将其命名成`plugin-cloudflare`。   
+以下均以`plugin-cloudflare`为例进行说明，你需要将其替换成你的插件名称
+
+### 2. access授权
+如果这是一个新的平台，它应该有授权方式，比如accessKey accessSecret之类的     
+参考`plugin-cloudflare/access.ts` 修改为你要做的平台的`access`
+这样用户就可以在`certd`后台中创建这种授权凭证了
+
+### 3. dns-provider
+如果域名是这个平台进行解析的，那么你需要实现dns-provider，（申请证书需要）    
+参考`plugin-cloudflare/dns-provider.ts` 修改为你要做的平台的`dns-provider`
+
+### 4. plugin-deploy
+如果这个平台有需要部署证书的地方     
+参考`plugin-cloudflare/plugins/plugin-deploy-to-xx.ts` 修改为你要做的平台的`plugin-deploy-to-xx`
+
+### 5. 增加导入
+在`plugin-cloudflare/index.ts`中增加你的插件的`import`
+```ts
+export * from './dns-provider'
+export * from './access'
+export * from './plugins/plugin-deploy-to-xx'
+````
+
+在`./src/plugins/index.ts`中增加`import`
+
+```ts
+export * from "./plugin-cloudflare.js"
+```
+
+## 重启服务进行调试
+刷新浏览器，检查你的插件是否工作正常， 确保能够正常进行证书申请和部署    
+
+## 提交PR
+我们将尽快审核PR

doc/google/google.md

@@ -0,0 +1,56 @@
+# google证书申请教程
+
+## 1、启用API
+打开如下链接，启用 API
+
+https://console.cloud.google.com/apis/library/publicca.googleapis.com
+
+打开该链接后点击“启用”，随后等待右侧出现“API已启用”则可以关闭该页。
+
+## 2、 获取授权
+以下两种方式任选其一
+### 2.1 直接获取EAB 【推荐】
+
+
+1. 打开“Google Cloud Shell”（在右上角点击激活CloudShell图标）。   
+等待分配完成后在 Shell 窗口内输入如下命令：
+    
+```shell
+gcloud beta publicca external-account-keys create
+```
+2. 此时会弹出“为 Cloud Shell 提供授权”，点击授权即可。    
+执行完成后会返回类似如下输出；注意不要在没有收到 Google 的邮件时执行该命令，会返回命令不存在。
+
+```shell
+Created an external account key
+[b64MacKey: xxxxxxxxxxxxxxxx
+keyId: xxxxxxxxxxxxx]
+```
+
+3. 到Certd中，创建一条EAB授权记录，填写keyId(=kid) 和 b64MacKey 信息    
+   注意：keyId没有`]`结尾，不要把`]`也复制了   
+
+注意：EAB授权使用过一次之后，会绑定邮箱，后续再次使用时，要使用相同的邮箱    
+否则会报错 `Unknown external account binding (EAB) key. This may be due to the EAB key expiring which occurs 7 days after creation`
+
+### 2.2 通过服务账号获取EAB
+
+此方式可以自动EAB，需要配置代理
+
+1. 创建服务账号    
+https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts/create?walkthrough_id=iam--create-service-account&hl=zh-cn#step_index=1
+
+2. 选择一个项目，进入创建服务账号页面
+3. 给服务账号起一个名字，点击`创建并继续`
+4. 向此服务账号授予对项目的访问权限： `选择角色`->`基本`->`Owner`
+5. 点击完成
+6. 点击服务账号，进入服务账号详情页面
+7. 点击`添加密钥`->`创建新密钥`->`JSON`，下载密钥文件
+8. 将json文件内容粘贴到 certd中 Google服务授权输入框中
+
+
+## 3、 创建证书流水线
+选择证书提供商为google， 选择EAB授权 或 服务账号授权
+
+## 4、 其他就跟正常申请证书一样了
+

doc/host/host.md

@@ -0,0 +1,24 @@
+# 远程主机
+
+远程主机基于ssh协议，通过ssh连接远程主机，执行命令。
+
+## windows开启OpenSSH Server
+1. 安装OpenSSH Server
+请前往Microsoft官方文档查看如何开启openSSH
+https://learn.microsoft.com/zh-cn/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui#install-openssh-for-windows
+
+2. 启动OpenSSH Server服务
+```
+win+R  弹出运行对话框，输入 services.msc 打开服务管理器
+找到 OpenSSH SSH Server 
+启动ssh server服务，并且设置为自动启动
+```
+
+3. 测试ssh登录
+使用你常用的ssh客户端，连接你的windows主机，进行测试 
+
+```cmd
+# 如何确定你用户名
+C:\Users\xiaoj>
+          ↑↑↑↑---------这个就是windows ssh的登录用户名
+```

doc/synology/index.md

@@ -0,0 +1,41 @@
+# 群晖部署和证书更新
+
+
+## 一、群晖系统上部署Certd教程
+
+### 1. 打开Container Manager
+
+![](./images/1.png)
+
+### 2. 新增项目
+
+![](./images/2.png)
+
+### 3. 配置Certd项目
+
+![](./images/3.png)
+
+### 4. 外网访问设置
+
+![](./images/4.png)
+
+### 5. 确认项目信息
+
+![](./images/5.png)
+
+点击完成安装，等待certd启动完成即可
+
+### 6. 门户配置向导【可选】
+
+![](./images/6.png)
+
+
+
+## 二、更新群晖证书
+
+## 1. 前提条件
+* 已经部署了certd
+* 群晖上已经设置好了证书(证书建议设置好描述，插件需要根据描述查找证书)
+
+## 2. 在certd上配置自动更新群晖证书插件
+![](./images/deploy.png)

doc/tencent/tencent.md

@@ -0,0 +1,16 @@
+# 腾讯云
+
+
+## DNSPOD 授权设置
+目前腾讯云管理的域名的dns暂时只支持从DNSPOD进行设置    
+打开 https://console.dnspod.cn/account/token/apikey    
+然后按如下方式获取DNSPOD的授权
+![](./dnspod-token.png)
+
+
+## 腾讯云API密钥设置
+
+腾讯云其他部署需要API密钥，需要在腾讯云控制台进行设置   
+打开 https://console.cloud.tencent.com/cam/capi   
+然后按如下方式获取腾讯云的API密钥    
+![](./tencent-access.png)

docker/image/Dockerfile

@@ -1,18 +0,0 @@
-FROM registry.cn-shenzhen.aliyuncs.com/handsfree/node:16-alpine
-EXPOSE 7001
-ENV NODE_ENV production
-ENV MIDWAY_SERVER_ENV production
-WORKDIR /app/
-#RUN npm install cross-env -g  --registry=https://registry.npmmirror.com
-#RUN npm install pm2 -g  --registry=https://registry.npmmirror.com
-#RUN pm2 install pm2-logrotate
-ADD ./workspace/certd-server/ /app/
-RUN yarn install --production  --registry=https://registry.npmmirror.com
-#RUN yarn install --production
-RUN npm run build
-#CMD ["pm2-runtime", "start", "./bootstrap.js","--name", "certd","-i","1"]
-CMD ["npm", "run","start"]
-
-
-
-

docker/image/build.sh

@@ -1,37 +0,0 @@
-#!/bin/bash
-set -e
-echo "请先输入一个版本号："
-read version
-
-echo "您输入的版本号是： $version"
-echo "登录aliyun镜像仓库"
-sudo docker login --username=252959493@qq.com registry.cn-shenzhen.aliyuncs.com
-
-build=$(pwd)
-cd ../../
-root=$(pwd)
-echo "安装依赖"
-#pnpm install --registry=https://registry.npmmirror.com
-pnpm install
-
-echo "client build"
-cd $root/packages/ui/certd-client
-pnpm run build
-echo "client build success"
-
-echo "server build"
-cd $root/packages/ui/certd-server
-pnpm run build
-echo "server build success"
-
-echo "rm node_modules"
-rm ./node_modules -rf
-
-echo "copy to workspace"
-mkdir -p $build/workspace/certd-server
-\cp ./* $build/workspace/certd-server -rf
-\cp ../certd-client/dist/* $build/workspace/certd-server/public/ -rf
-
-#export TAG=$version
-#sudo -E docker compose build
-#sudo -E docker compose push

docker/run/Dockerfile

@@ -1,9 +0,0 @@
-FROM registry.cn-shenzhen.aliyuncs.com/handsfree/certd:latest
-EXPOSE 7001
-RUN npm run build
-#RUN npm install pm2 -g  --registry=https://registry.npmmirror.com
-#CMD ["pm2-runtime", "start", "./bootstrap.js","--name", "certd","-i","1","--", "-p", "7001"]
-CMD ["npm","run", "start"]
-
-
-

docker/run/build.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-set -e
-echo "请先输入一个版本号(如 1.0.6)："
-read version
-echo "您输入的版本号是： $version"
-export TAG="$version"
-sudo -E docker compose up -d

docker/run/docker-compose.yaml

@@ -1,20 +1,40 @@
-version: '3.3' # 指定docker-compose 版本
-services: # 要拉起的服务们
+version: '3.3' # 兼容旧版docker-compose
+services:
   certd:
-#    build:
-#        context: ./
-#        dockerfile: Dockerfile
-#                                                              ↓↓↓↓↓  修改镜像版本号
-    image: registry.cn-shenzhen.aliyuncs.com/handsfree/certd:${TAG}
+    # 镜像                                                  #  ↓↓↓↓↓ --- 镜像版本号，建议改成固定版本号
+    image: registry.cn-shenzhen.aliyuncs.com/handsfree/certd:latest
     container_name: certd # 容器名
-    restart: unless-stopped # 重启
+    restart: unless-stopped # 自动重启
     volumes:
-      #   ↓↓↓↓↓  修改数据库以及证书存储路径
+      #   ↓↓↓↓↓ -------------------------------------------------------- 数据库以及证书存储路径,默认存在宿主机的/data/certd/目录下，【您需要定时备份此目录，以保障数据容灾】
       - /data/certd:/app/data
     ports: # 端口映射
+      #  ↓↓↓↓ ---------------------------------------------------------- 如果端口有冲突，可以修改第一个7001为其他不冲突的端口号
       - "7001:7001"
-    environment:
+    dns:
+      #  ↓↓↓↓ ---------------------------------------------------------- 如果出现getaddrinfo ENOTFOUND等错误，可以尝试修改或注释dns配置
+      - 223.5.5.5
+      - 223.6.6.6
+      #  ↓↓↓↓ ---------------------------------------------------------- 如果你服务器部署在国外，可以用8.8.8.8替换上面的dns
+#      - 8.8.8.8
+#      - 8.8.4.4
+#    extra_hosts:
+      #  ↓↓↓↓ ---------------------------------------------------------- 这里可以配置自定义hosts，外网域名可以指向本地局域网ip地址
+#      - "localdomain.comm:192.168.1.3"
+    environment: # 环境变量
       - TZ=Asia/Shanghai
-      - certd_auth_jwt_secret=changeme
-#                               ↑↑↑↑↑   注意修改成你的自定义密钥
-
+      #- HTTPS_PROXY=http://xxxxxx:xx
+      #- HTTP_PROXY=http://xxxxxx:xx
+                          #  ↑↑↑↑↑ ------------------------------------- 这里可以设置http代理
+      - certd_system_resetAdminPasswd=false
+                                     #  ↑↑↑↑↑--------------------------- 如果忘记管理员密码，可以设置为true，重启之后，管理员密码将改成123456，然后请及时修改回false
+      - certd_cron_immediateTriggerOnce=false
+                                     #  ↑↑↑↑↑--------------------------- 如果设置为true，启动后所有配置了cron的流水线任务都将被立即触发一次
+      - certd_site_icp_no=
+                      #  ↑↑↑↑↑ ----------------------------------------- 这里可以设置备案号
+      #- certd_koa_key=./data/ssl/cert.key
+      #- certd_koa_cert=./data/ssl/cert.crt
+                      #  ↑↑↑↑↑ ----------------------------------------- 配置证书和key，则表示https方式启动，使用https协议访问，https://your.domain:7001
+      # 设置环境变量即可自定义certd配置
+      # 配置项见： packages/ui/certd-server/src/config/config.default.ts
+      # 配置规则： certd_ + 配置项, 点号用_代替

init.sh

@@ -0,0 +1,21 @@
+
+current_pwd=$(pwd)
+
+echo "开始设置git配置"
+
+read -p "请输入username：" username
+git config  user.name $username
+
+read -p "请输入email：" email
+git config  user.email $email
+
+git config credential.helper "store --file=$current_pwd/.git/credential.store"
+echo "已设置记住git账号密码"
+
+git config  core.autocrlf input   
+echo "已设置auto crlf = input"
+
+git config core.filemode false
+echo "已设置忽略文件模式变化"
+
+echo "git配置完成"

lerna.json

@@ -9,5 +9,5 @@
     }
   },
   "npmClient": "pnpm",
-  "version": "1.1.2"
+  "version": "1.26.0"
 }

package.json

@@ -1,27 +1,32 @@
 {
   "name": "root",
-  "version": "1.0.3",
+  "version": "1.20.4",
   "private": true,
   "type": "module",
   "devDependencies": {
-    "@lerna-lite/cli": "^2.4.0",
-    "@lerna-lite/publish": "^2.4.0",
-    "@lerna-lite/run": "^2.4.0"
+    "@lerna-lite/cli": "^3.9.3",
+    "@lerna-lite/publish": "^3.9.3",
+    "@lerna-lite/run": "^3.9.3",
+    "@lerna-lite/version": "^3.9.3"
   },
   "scripts": {
     "start": "lerna bootstrap --hoist",
     "i-all": "lerna link && lerna exec npm install  ",
-    "publish": "npm run proxy && npm run prepublishOnly1  && lerna publish --conventional-commits && npm run afterpublishOnly && node deploy.js",
-    "afterpublishOnly": "",
-    "proxy": "npm config set proxy=http://127.0.0.1:10809",
-    "prepublishOnly1": "npm run before-build && lerna run build ",
-    "before-build": "cd ./packages/core/acme-client && time /t >build.md && git add ./build.md && git commit -m \"build: prepare to build\"",
-    "deploy1": "node deploy.js"
+    "publish": "npm run prepublishOnly2  && lerna publish --force-publish=pro/plus-core --conventional-commits --create-release github && npm run afterpublishOnly && npm run commitAll",
+    "afterpublishOnly": "time /t >build.trigger && git add ./build.trigger && git commit -m \"build: trigger build image\" && TIMEOUT /T 10 && git push",
+    "commitAll": "git add . && git commit -m \"build: publish\" && git push && npm run commitPro",
+    "commitPro": "cd ./packages/core/ && git add . && git commit -m \"build: publish\" && git push",
+    "prepublishOnly1": "npm run check && lerna run build ",
+    "prepublishOnly2": "npm run check && npm run before-build && lerna run build ",
+    "before-build": "cd ./packages/core/basic && time /t >build.md && git add ./build.md && git commit -m \"build: prepare to build\"",
+    "deploy1": "node --experimental-json-modules deploy.js ",
+    "check": "node --experimental-json-modules publish-check.js",
+    "init": "lerna run build"
   },
-  "license": "MIT",
+  "license": "AGPL-3.0",
   "dependencies": {
-    "axios": "^1.4.0",
-    "lodash": "^4.17.21"
+    "axios": "^1.7.7",
+    "lodash-es": "^4.17.21"
   },
   "workspaces": [
     "packages/**"

packages/core/acme-client/.circleci/.gitignore

@@ -1 +0,0 @@
-.temp.yml

packages/core/acme-client/.circleci/config.yml

@@ -1,133 +0,0 @@
----
-version: 2.1
-
-commands:
-  pre:
-    steps:
-      - run: node --version
-      - run: npm --version
-      - run: yarn --version
-      - checkout
-
-  enable-eab:
-    steps:
-      - run:
-          name: Enable EAB through environment
-          command: |
-            echo 'export ACME_CAP_EAB_ENABLED=1' >> $BASH_ENV
-
-  install-cts:
-    steps:
-      - run:
-          name: Install Pebble Challenge Test Server
-          command: sudo -E /bin/bash ./scripts/test-suite-install-cts.sh
-          environment:
-            PEBBLECTS_VERSION: 2.3.1
-
-      - run:
-          name: Start Pebble Challenge Test Server
-          command: pebble-challtestsrv -dns01 ":8053" -tlsalpn01 ":5001" -http01 ":5002" -https01 ":5003" -defaultIPv4 "127.0.0.1" -defaultIPv6 ""
-          background: true
-
-  install-pebble:
-    steps:
-      - run:
-          name: Install Pebble
-          command: sudo -E /bin/bash ./scripts/test-suite-install-pebble.sh
-          environment:
-            PEBBLE_VERSION: 2.3.1
-
-      - run:
-          name: Start Pebble
-          command: pebble -strict -config /etc/pebble/pebble.json -dnsserver "127.0.0.1:53"
-          background: true
-          environment:
-            PEBBLE_ALTERNATE_ROOTS: 2
-
-      - run:
-          name: Set up environment
-          command: |
-            echo 'export NODE_EXTRA_CA_CERTS="/etc/pebble/ca.cert.pem"' >> $BASH_ENV
-            echo 'export ACME_CA_CERT_PATH="/etc/pebble/ca.cert.pem"' >> $BASH_ENV
-            echo 'export ACME_DIRECTORY_URL="https://127.0.0.1:14000/dir"' >> $BASH_ENV
-            echo 'export ACME_PEBBLE_MANAGEMENT_URL="https://127.0.0.1:15000"' >> $BASH_ENV
-
-      - run:
-          name: Wait for Pebble
-          command: /bin/bash ./scripts/test-suite-wait-for-ca.sh
-
-  install-step:
-    steps:
-      - run:
-          name: Install Step Certificates
-          command: /bin/bash ./scripts/test-suite-install-step.sh
-          environment:
-            STEPCA_VERSION: 0.18.0
-            STEPCLI_VERSION: 0.18.0
-
-      - run:
-          name: Start Step CA
-          command: /usr/bin/step-ca --resolver="127.0.0.1:53" --password-file="/tmp/password" ~/.step/config/ca.json
-          background: true
-
-      - run:
-          name: Set up environment
-          command: |
-            echo 'export NODE_EXTRA_CA_CERTS="/home/circleci/.step/certs/root_ca.crt"' >> $BASH_ENV
-            echo 'export ACME_CA_CERT_PATH="/home/circleci/.step/certs/root_ca.crt"' >> $BASH_ENV
-            echo 'export ACME_DIRECTORY_URL="https://localhost:8443/acme/acme/directory"' >> $BASH_ENV
-
-            echo 'export ACME_CAP_META_TOS_FIELD=0' >> $BASH_ENV
-            echo 'export ACME_CAP_UPDATE_ACCOUNT_KEY=0' >> $BASH_ENV
-            echo 'export ACME_CAP_ALTERNATE_CERT_ROOTS=0' >> $BASH_ENV
-
-      - run:
-          name: Wait for Step CA
-          command: /bin/bash ./scripts/test-suite-wait-for-ca.sh
-
-  install-coredns:
-    steps:
-      - run:
-          name: Install CoreDNS
-          command: sudo -E /bin/bash ./scripts/test-suite-install-coredns.sh
-          environment:
-            COREDNS_VERSION: 1.8.6
-            PEBBLECTS_DNS_PORT: 8053
-
-      - run:
-          name: Start CoreDNS
-          command: sudo coredns -p 53 -conf /etc/coredns/Corefile
-          background: true
-
-  test:
-    steps:
-      - run: yarn --color
-      - run: yarn run lint --color
-      - run: yarn run lint-types
-      - run: yarn run build-docs
-
-      - run:
-          command: yarn run test --color
-          environment:
-            ACME_DOMAIN_NAME: test.example.com
-            ACME_CHALLTESTSRV_URL: http://127.0.0.1:8055
-            ACME_DNS_RESOLVER: 127.0.0.1
-            ACME_TLSALPN_PORT: 5001
-            ACME_HTTP_PORT: 5002
-            ACME_HTTPS_PORT: 5003
-
-jobs:
-  v16: { docker: [{ image: cimg/node:16.16 }], steps: [ pre, install-cts, install-pebble, install-coredns, test ]}
-  v18: { docker: [{ image: cimg/node:18.4 }], steps: [ pre, install-cts, install-pebble, install-coredns, test ]}
-  eab-v16: { docker: [{ image: cimg/node:16.16 }], steps: [ pre, enable-eab, install-cts, install-pebble, install-coredns, test ]}
-  eab-v18: { docker: [{ image: cimg/node:18.4 }], steps: [ pre, enable-eab, install-cts, install-pebble, install-coredns, test ]}
-  # step-v12: { docker: [{ image: cimg/node:12.22 }], steps: [ pre, install-cts, install-step, install-coredns, test ]}
-
-workflows:
-  test-suite:
-    jobs:
-      - v16
-      - v18
-      - eab-v16
-      - eab-v18
-      # - step-v12

packages/core/acme-client/.editorconfig

@@ -5,7 +5,7 @@
 root = true
 
 [*]
-indent_style = spaces
+indent_style = space
 indent_size = 4
 trim_trailing_whitespace = true
 

packages/core/acme-client/.eslintrc.yml

@@ -9,15 +9,8 @@ env:
 rules:
   indent: [2, 4, { SwitchCase: 1, VariableDeclarator: 1 }]
   brace-style: [2, 'stroustrup', { allowSingleLine: true }]
-  space-before-function-paren: [2, { anonymous: 'never', named: 'never' }]
   func-names: 0
-  prefer-destructuring: 0
-  object-curly-newline: 0
   class-methods-use-this: 0
-  wrap-iife: [2, 'inside']
   no-param-reassign: 0
-  comma-dangle: [2, 'never']
   max-len: [1, 200, 2, { ignoreUrls: true, ignoreComments: false }]
-  no-multiple-empty-lines: [2, { max: 2, maxBOF: 0, maxEOF: 0 }]
-  prefer-object-spread: 0
   import/no-useless-path-segments: 0

packages/core/acme-client/.github/scripts/tests-install-coredns.sh

@@ -2,7 +2,7 @@
 #
 # Install CoreDNS for testing.
 #
-set -eu
+set -euo pipefail
 
 # Download and install
 wget -nv "https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" -O /tmp/coredns.tgz
@@ -39,18 +39,21 @@ tee /etc/coredns/Corefile << EOF
 example.com {
     errors
     log
+    bind 127.53.53.53
     file /etc/coredns/db.example.com
 }
 
 test.example.com {
     errors
     log
+    bind 127.53.53.53
     forward . 127.0.0.1:${PEBBLECTS_DNS_PORT}
 }
 
 . {
     errors
     log
+    bind 127.53.53.53
     forward . 8.8.8.8
 }
 EOF

packages/core/acme-client/.github/scripts/tests-install-cts.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# Install Pebble Challenge Test Server for testing.
+#
+set -euo pipefail
+
+# Download and install
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLECTS_VERSION}/pebble-challtestsrv-linux-amd64.tar.gz" -O /tmp/pebble-challtestsrv.tar.gz
+tar zxvf /tmp/pebble-challtestsrv.tar.gz -C /tmp
+
+mv /tmp/pebble-challtestsrv-linux-amd64/linux/amd64/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv
+chown root:root /usr/local/bin/pebble-challtestsrv
+chmod 0755 /usr/local/bin/pebble-challtestsrv
+
+exit 0

packages/core/acme-client/.github/scripts/tests-install-pebble.sh

@@ -2,14 +2,14 @@
 #
 # Install Pebble for testing.
 #
-set -eu
+set -euo pipefail
 
-config_name="pebble-config.json"
+CONFIG_NAME="pebble-config.json"
 
 # Use Pebble EAB config if enabled
 set +u
-if [[ ! -z $ACME_CAP_EAB_ENABLED ]] && [[ $ACME_CAP_EAB_ENABLED -eq 1 ]]; then
-    config_name="pebble-config-external-account-bindings.json"
+if [[ -n $ACME_CAP_EAB_ENABLED ]] && [[ $ACME_CAP_EAB_ENABLED -eq 1 ]]; then
+    CONFIG_NAME="pebble-config-external-account-bindings.json"
 fi
 set -u
 
@@ -19,15 +19,17 @@ mkdir -p /etc/pebble
 wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/pebble.minica.pem" -O /etc/pebble/ca.cert.pem
 wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/localhost/cert.pem" -O /etc/pebble/cert.pem
 wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/certs/localhost/key.pem" -O /etc/pebble/key.pem
-wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/config/${config_name}" -O /etc/pebble/pebble.json
+wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/config/${CONFIG_NAME}" -O /etc/pebble/pebble.json
 
 # Download and install Pebble
-wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLE_VERSION}/pebble_linux-amd64" -O /usr/local/bin/pebble
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLE_VERSION}/pebble-linux-amd64.tar.gz" -O /tmp/pebble.tar.gz
+tar zxvf /tmp/pebble.tar.gz -C /tmp
 
+mv /tmp/pebble-linux-amd64/linux/amd64/pebble /usr/local/bin/pebble
 chown root:root /usr/local/bin/pebble
 chmod 0755 /usr/local/bin/pebble
 
 # Config
-sed -i 's/test\/certs\/localhost/\/etc\/pebble/' /etc/pebble/pebble.json
+sed -i 's#test/certs/localhost#/etc/pebble#' /etc/pebble/pebble.json
 
 exit 0

packages/core/acme-client/.github/scripts/tests-wait-for-ca.sh

@@ -2,13 +2,13 @@
 #
 # Wait for ACME server to accept connections.
 #
-set -eu
+set -euo pipefail
 
 MAX_ATTEMPTS=15
 ATTEMPT=0
 
 # Loop until ready
-while ! $(curl --cacert "${ACME_CA_CERT_PATH}" -s -D - "${ACME_DIRECTORY_URL}" | grep '^HTTP.*200' > /dev/null 2>&1); do
+while ! curl --cacert "${ACME_CA_CERT_PATH}" -s -D - "${ACME_DIRECTORY_URL}" | grep '^HTTP.*200' > /dev/null 2>&1; do
     ATTEMPT=$((ATTEMPT + 1))
 
     # Max attempts

packages/core/acme-client/.github/workflows/tests.yml

@@ -0,0 +1,91 @@
+name: test
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: node=${{matrix.node}} eab=${{matrix.eab}}
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node: [16, 18, 20]
+        eab: [0, 1]
+
+    #
+    # Environment
+    #
+
+    env:
+      FORCE_COLOR: 1
+      NPM_CONFIG_COLOR: always
+
+      PEBBLE_VERSION: 2.6.0
+      PEBBLE_ALTERNATE_ROOTS: 2
+      PEBBLECTS_VERSION: 2.6.0
+      PEBBLECTS_DNS_PORT: 8053
+      COREDNS_VERSION: 1.11.1
+
+      NODE_EXTRA_CA_CERTS: /etc/pebble/ca.cert.pem
+      ACME_CA_CERT_PATH: /etc/pebble/ca.cert.pem
+
+      ACME_DIRECTORY_URL: https://127.0.0.1:14000/dir
+      ACME_CHALLTESTSRV_URL: http://127.0.0.1:8055
+      ACME_PEBBLE_MANAGEMENT_URL: https://127.0.0.1:15000
+
+      ACME_DOMAIN_NAME: test.example.com
+      ACME_CAP_EAB_ENABLED: ${{matrix.eab}}
+
+      ACME_TLSALPN_PORT: 5001
+      ACME_HTTP_PORT: 5002
+      ACME_HTTPS_PORT: 5003
+
+    #
+    # Pipeline
+    #
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{matrix.node}}
+
+      # Pebble Challenge Test Server
+      - name: Install Pebble Challenge Test Server
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-cts.sh
+
+      - name: Start Pebble Challenge Test Server
+        run: |-
+          nohup bash -c "pebble-challtestsrv \
+            -dns01 :${PEBBLECTS_DNS_PORT} \
+            -tlsalpn01 :${ACME_TLSALPN_PORT} \
+            -http01 :${ACME_HTTP_PORT} \
+            -https01 :${ACME_HTTPS_PORT} \
+            -defaultIPv4 127.0.0.1 \
+            -defaultIPv6 \"\" &"
+
+      # Pebble
+      - name: Install Pebble
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-pebble.sh
+
+      - name: Start Pebble
+        run: nohup bash -c "pebble -strict -config /etc/pebble/pebble.json -dnsserver 127.53.53.53:53 &"
+
+      - name: Wait for Pebble
+        run: /bin/bash ./.github/scripts/tests-wait-for-ca.sh
+
+      # CoreDNS
+      - name: Install CoreDNS
+        run: sudo -E /bin/bash ./.github/scripts/tests-install-coredns.sh
+
+      - name: Start CoreDNS
+        run: nohup bash -c "sudo coredns -p 53 -conf /etc/coredns/Corefile &"
+
+      - name: Use CoreDNS for DNS resolution
+        run: echo "nameserver 127.53.53.53" | sudo tee /etc/resolv.conf
+
+      # Run tests
+      - run: npm i
+      - run: npm run lint
+      - run: npm run lint-types
+      - run: npm run build-docs
+      - run: npm run test

packages/core/acme-client/.gitignore

@@ -1,7 +1,6 @@
+.actrc
 .vscode/
 node_modules/
 npm-debug.log
-yarn-error.log
-yarn.lock
 package-lock.json
 /.idea/

packages/core/acme-client/.yarnrc

@@ -1,2 +0,0 @@
-ignore-engines true
-ignore-optional true

packages/core/acme-client/CHANGELOG.md

@@ -3,49 +3,233 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
-## [1.1.2](https://github.com/publishlab/node-acme-client/compare/v1.1.1...v1.1.2) (2023-07-03)
+# [1.26.0](https://github.com/publishlab/node-acme-client/compare/v1.25.9...v1.26.0) (2024-10-10)
+
+### Features
+
+* 域名验证方法支持CNAME间接方式，此方式支持所有域名注册商，且无需提供Access授权，但是需要手动添加cname解析 ([f3d3508](https://github.com/publishlab/node-acme-client/commit/f3d35084ed44f9f33845f7045e520be5c27eed93))
+
+## [1.25.9](https://github.com/publishlab/node-acme-client/compare/v1.25.8...v1.25.9) (2024-10-01)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.1.1](https://github.com/publishlab/node-acme-client/compare/v1.1.0...v1.1.1) (2023-06-28)
+## [1.25.8](https://github.com/publishlab/node-acme-client/compare/v1.25.7...v1.25.8) (2024-09-30)
 
 **Note:** Version bump only for package @certd/acme-client
 
-# [1.1.0](https://github.com/publishlab/node-acme-client/compare/v1.0.6...v1.1.0) (2023-06-28)
+## [1.25.7](https://github.com/publishlab/node-acme-client/compare/v1.25.6...v1.25.7) (2024-09-29)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.6](https://github.com/publishlab/node-acme-client/compare/v1.0.5...v1.0.6) (2023-05-25)
+## [1.25.6](https://github.com/publishlab/node-acme-client/compare/v1.25.5...v1.25.6) (2024-09-29)
+
+### Performance Improvements
+
+* 部署支持1Panel ([d047234](https://github.com/publishlab/node-acme-client/commit/d047234d98d31504f2e5a472b66e1b75806af26e))
+
+## [1.25.5](https://github.com/publishlab/node-acme-client/compare/v1.25.4...v1.25.5) (2024-09-26)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.5](https://github.com/publishlab/node-acme-client/compare/v1.0.4...v1.0.5) (2023-05-25)
+## [1.25.4](https://github.com/publishlab/node-acme-client/compare/v1.25.3...v1.25.4) (2024-09-25)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.4](https://github.com/publishlab/node-acme-client/compare/v1.0.3...v1.0.4) (2023-05-25)
+## [1.25.3](https://github.com/publishlab/node-acme-client/compare/v1.25.2...v1.25.3) (2024-09-24)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.3](https://github.com/publishlab/node-acme-client/compare/v1.0.2...v1.0.3) (2023-05-25)
+## [1.25.2](https://github.com/publishlab/node-acme-client/compare/v1.25.1...v1.25.2) (2024-09-24)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.2](https://github.com/publishlab/node-acme-client/compare/v1.0.1...v1.0.2) (2023-05-24)
+## [1.25.1](https://github.com/publishlab/node-acme-client/compare/v1.25.0...v1.25.1) (2024-09-24)
 
 **Note:** Version bump only for package @certd/acme-client
 
-## [1.0.1](https://github.com/publishlab/node-acme-client/compare/v1.0.0...v1.0.1) (2023-05-24)
+# [1.25.0](https://github.com/publishlab/node-acme-client/compare/v1.24.4...v1.25.0) (2024-09-24)
+
+### Performance Improvements
+
+* 证书支持旧版RSA，pkcs1 ([3d9c3ec](https://github.com/publishlab/node-acme-client/commit/3d9c3ecb3eb604b2458154f608bde0f01915d116))
+* 支持七牛云 ([8ecc2f9](https://github.com/publishlab/node-acme-client/commit/8ecc2f9446a9ebd11b9bfbffbb6cf7812a043495))
+
+## [1.24.4](https://github.com/publishlab/node-acme-client/compare/v1.24.3...v1.24.4) (2024-09-09)
 
 **Note:** Version bump only for package @certd/acme-client
 
+## [1.24.3](https://github.com/publishlab/node-acme-client/compare/v1.24.2...v1.24.3) (2024-09-06)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.24.2](https://github.com/publishlab/node-acme-client/compare/v1.24.1...v1.24.2) (2024-09-06)
+
+### Performance Improvements
+
+* 修复windows下无法执行第二条命令的bug ([d5bfcdb](https://github.com/publishlab/node-acme-client/commit/d5bfcdb6de1dcc1702155442e2e00237d0bbb6e5))
+
+## [1.24.1](https://github.com/publishlab/node-acme-client/compare/v1.24.0...v1.24.1) (2024-09-02)
+
+### Bug Fixes
+
+* 修复在没有勾选使用代理的情况下，仍然会使用代理的bug ([0f66794](https://github.com/publishlab/node-acme-client/commit/0f6679425f6a736bb0128527dd99c085fac17d84))
+
+### Performance Improvements
+
+* 部署插件支持宝塔、易盾云等 ([ee61709](https://github.com/publishlab/node-acme-client/commit/ee617095efa1171548cf52fd45f0f98a368555a3))
+* 授权配置支持加密 ([42a56b5](https://github.com/publishlab/node-acme-client/commit/42a56b581d754c3e5f9838179d19ab0d004ef2eb))
+
+# [1.24.0](https://github.com/publishlab/node-acme-client/compare/v1.23.1...v1.24.0) (2024-08-25)
+
+### Bug Fixes
+
+* 修复成功后跳过之后丢失腾讯云证书id的bug ([37eb762](https://github.com/publishlab/node-acme-client/commit/37eb762afe25c5896b75dee25f32809f8426e7b7))
+* 修复创建流水线后立即运行时报no id错误的bug ([17ead54](https://github.com/publishlab/node-acme-client/commit/17ead547aab25333603980304aa3aad3db1f73d5))
+* 修复使用代理的情况下申请证书失败的bug ([95122e2](https://github.com/publishlab/node-acme-client/commit/95122e28609333f4df55c266e5434897954c0fb3))
+
+### Features
+
+* 支持google证书申请（需要使用代理） ([a593056](https://github.com/publishlab/node-acme-client/commit/a593056e79e99dd6a74f75b5eab621af7248cfbe))
+
+### Performance Improvements
+
+* 优化证书申请成功率 ([968c469](https://github.com/publishlab/node-acme-client/commit/968c4690a07f69c08dcb3d3a494da4e319627345))
+
+## [1.22.6](https://github.com/publishlab/node-acme-client/compare/v1.22.5...v1.22.6) (2024-08-03)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.22.4](https://github.com/publishlab/node-acme-client/compare/v1.22.3...v1.22.4) (2024-07-26)
+
+### Performance Improvements
+
+* 证书申请支持反向代理，letsencrypt无法访问时的备用方案 ([b7b5df0](https://github.com/publishlab/node-acme-client/commit/b7b5df0587e0f7ea288c1b2af6f87211f207395f))
+
+## [1.22.3](https://github.com/publishlab/node-acme-client/compare/v1.22.2...v1.22.3) (2024-07-25)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.22.2](https://github.com/publishlab/node-acme-client/compare/v1.22.1...v1.22.2) (2024-07-23)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.22.1](https://github.com/publishlab/node-acme-client/compare/v1.22.0...v1.22.1) (2024-07-20)
+
+**Note:** Version bump only for package @certd/acme-client
+
+# [1.22.0](https://github.com/publishlab/node-acme-client/compare/v1.21.2...v1.22.0) (2024-07-19)
+
+### Features
+
+* 升级midway，支持esm ([485e603](https://github.com/publishlab/node-acme-client/commit/485e603b5165c28bc08694997726eaf2a585ebe7))
+
+## [1.21.2](https://github.com/publishlab/node-acme-client/compare/v1.21.1...v1.21.2) (2024-07-08)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.21.1](https://github.com/publishlab/node-acme-client/compare/v1.21.0...v1.21.1) (2024-07-08)
+
+**Note:** Version bump only for package @certd/acme-client
+
+# [1.21.0](https://github.com/publishlab/node-acme-client/compare/v1.20.17...v1.21.0) (2024-07-03)
+
+### Features
+
+* 支持zero ssl ([eade2c2](https://github.com/publishlab/node-acme-client/commit/eade2c2b681569f03e9cd466e7d5bcd6703ed492))
+
+## [1.20.17](https://github.com/publishlab/node-acme-client/compare/v1.20.16...v1.20.17) (2024-07-03)
+
+### Performance Improvements
+
+* 创建dns解析后，强制等待60s ([f47b35f](https://github.com/publishlab/node-acme-client/commit/f47b35f6d5bd7d675005c3e286b7e9a029201f8b))
+* 优化cname verify ([eba333d](https://github.com/publishlab/node-acme-client/commit/eba333de7a5b5ef4b0b7eaa904f578720102fa61))
+
+## [1.20.16](https://github.com/publishlab/node-acme-client/compare/v1.20.15...v1.20.16) (2024-07-01)
+
+### Bug Fixes
+
+* 修复配置了cdn cname后申请失败的bug ([4a5fa76](https://github.com/publishlab/node-acme-client/commit/4a5fa767edc347d03d29a467e86c9a4d70b0220c))
+
+## [1.20.15](https://github.com/publishlab/node-acme-client/compare/v1.20.14...v1.20.15) (2024-06-28)
+
+### Performance Improvements
+
+* 腾讯云dns provider 支持腾讯云的accessId ([e0eb3a4](https://github.com/publishlab/node-acme-client/commit/e0eb3a441384d474fe2923c69b25318264bdc9df))
+
+## [1.20.14](https://github.com/publishlab/node-acme-client/compare/v1.20.13...v1.20.14) (2024-06-23)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.13](https://github.com/publishlab/node-acme-client/compare/v1.20.12...v1.20.13) (2024-06-18)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.12](https://github.com/publishlab/node-acme-client/compare/v1.20.10...v1.20.12) (2024-06-17)
+
+### Bug Fixes
+
+* 修复aliyun域名超过100个找不到域名的bug ([5b1494b](https://github.com/publishlab/node-acme-client/commit/5b1494b3ce93d1026dc56ee741342fbb8bf7be24))
+
+### Performance Improvements
+
+* 支持cloudflare域名 ([fbb9a47](https://github.com/publishlab/node-acme-client/commit/fbb9a47e8f7bb805289b9ee64bd46ffee0f01c06))
+
+## [1.20.10](https://github.com/publishlab/node-acme-client/compare/v1.20.9...v1.20.10) (2024-05-30)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.9](https://github.com/publishlab/node-acme-client/compare/v1.20.8...v1.20.9) (2024-03-22)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.8](https://github.com/publishlab/node-acme-client/compare/v1.20.7...v1.20.8) (2024-03-22)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.7](https://github.com/publishlab/node-acme-client/compare/v1.20.6...v1.20.7) (2024-03-22)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.6](https://github.com/publishlab/node-acme-client/compare/v1.20.5...v1.20.6) (2024-03-21)
+
+**Note:** Version bump only for package @certd/acme-client
+
+## [1.20.5](https://github.com/publishlab/node-acme-client/compare/v1.20.2...v1.20.5) (2024-03-11)
+
+### Bug Fixes
+
+* 修复腾讯云cdn部署无法选择端点的bug ([154409b](https://github.com/publishlab/node-acme-client/commit/154409b1dfee3ea1caae740ad9c1f99a6e7a9814))
+
 # Changelog
 
-## Important upgrade notice
+## v5.4.0 (2024-07-16)
 
-On September 15, 2022, Let's Encrypt will stop accepting Certificate Signing Requests signed using the obsolete SHA-1 hash. This change affects all `acme-client` versions lower than `3.3.2` and `4.2.4`. Please upgrade ASAP to ensure that your certificates can still be issued following this date.
+* `added` Directory URLs for [Google](https://cloud.google.com/certificate-manager/docs/overview) ACME provider
+* `fixed` Invalidate ACME provider directory cache after 24 hours
+* `fixed` Retry HTTP requests on server errors or when rate limited - [#89](https://github.com/publishlab/node-acme-client/issues/89)
 
-A more detailed explanation can be found [at the Let's Encrypt forums](https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls/175144).
+## v5.3.1 (2024-05-22)
+
+* `fixed` Allow `client.auto()` being called with an empty CSR common name
+* `fixed` Bug when calling `updateAccountKey()` with external account binding
+
+## v5.3.0 (2024-02-05)
+
+* `added` Support and tests for satisfying `tls-alpn-01` challenges
+* `changed` Replace `jsrsasign` with `@peculiar/x509` for certificate and CSR handling
+* `changed` Method `getChallengeKeyAuthorization()` now returns `$token.$thumbprint` when called with a `tls-alpn-01` challenge
+    * Previously returned base64url encoded SHA256 digest of `$token.$thumbprint` erroneously
+    * This change is not considered breaking since the previous behavior was incorrect
+
+## v5.2.0 (2024-01-22)
+
+* `fixed` Allow self-signed or invalid certs when validating `http-01` challenges that redirect to HTTPS - [#65](https://github.com/publishlab/node-acme-client/issues/65)
+* `fixed` Wait for all challenge promises to settle before rejecting `client.auto()` - [#75](https://github.com/publishlab/node-acme-client/issues/75)
+
+## v5.1.0 (2024-01-20)
+
+* `fixed` Upgrade `jsrsasign@11.0.0` - [GHSA-rh63-9qcf-83gf](https://github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf)
+* `fixed` Upgrade `axios@1.6.5` - [CVE-2023-45857](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45857)
 
 ## v5.0.0 (2022-07-28)
 
@@ -61,7 +245,7 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 * `fixed` Upgrade `axios@0.26.1`
 * `fixed` Upgrade `node-forge@1.3.0` - [CVE-2022-24771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771), [CVE-2022-24772](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772), [CVE-2022-24773](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773)
 
-## 4.2.4 (2022-03-19)
+## v4.2.4 (2022-03-19)
 
 * `fixed` Use SHA-256 when signing CSRs
 
@@ -84,13 +268,13 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 
 ## v4.2.0 (2022-01-06)
 
-* `added` Support for external account binding - [RFC 8555 Section 7.3.4](https://tools.ietf.org/html/rfc8555#section-7.3.4)
+* `added` Support for external account binding - [RFC 8555 Section 7.3.4](https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4)
 * `added` Ability to pass through custom logger function
 * `changed` Increase default `backoffAttempts` to 10
 * `fixed` Deactivate authorizations where challenges can not be completed
 * `fixed` Attempt authoritative name servers when verifying `dns-01` challenges
 * `fixed` Error verbosity when failing to read ACME directory
-* `fixed` Correctly recognize `ready` and `processing` states - [RFC 8555 Section 7.1.6](https://tools.ietf.org/html/rfc8555#section-7.1.6)
+* `fixed` Correctly recognize `ready` and `processing` states - [RFC 8555 Section 7.1.6](https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.6)
 
 ## v4.1.4 (2021-12-23)
 
@@ -140,7 +324,7 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 ## v3.3.0 (2019-12-19)
 
 * `added` TypeScript definitions
-* `fixed` Allow missing ACME directory meta field - [RFC 8555 Section 7.1.1](https://tools.ietf.org/html/rfc8555#section-7.1.1)
+* `fixed` Allow missing ACME directory meta field - [RFC 8555 Section 7.1.1](https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1)
 
 ## v3.2.1 (2019-11-14)
 
@@ -151,10 +335,10 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 * `added` More extensive testing using [letsencrypt/pebble](https://github.com/letsencrypt/pebble)
 * `changed` When creating a CSR, `commonName` no longer defaults to `'localhost'`
     * This change is not considered breaking since `commonName: 'localhost'` will result in an error when ordering a certificate
-* `fixed` Retry signed API requests on `urn:ietf:params:acme:error:badNonce` - [RFC 8555 Section 6.5](https://tools.ietf.org/html/rfc8555#section-6.5)
+* `fixed` Retry signed API requests on `urn:ietf:params:acme:error:badNonce` - [RFC 8555 Section 6.5](https://datatracker.ietf.org/doc/html/rfc8555#section-6.5)
 * `fixed` Minor bugs related to `POST-as-GET` when calling `updateAccount()`
 * `fixed` Ensure subject common name is present in SAN when creating a CSR - [CAB v1.2.3 Section 9.2.2](https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf)
-* `fixed` Send empty JSON body when responding to challenges - [RFC 8555 Section 7.5.1](https://tools.ietf.org/html/rfc8555#section-7.5.1)
+* `fixed` Send empty JSON body when responding to challenges - [RFC 8555 Section 7.5.1](https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1)
 
 ## v2.3.1 (2019-08-26)
 
@@ -163,8 +347,8 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 
 ## v3.1.0 (2019-08-21)
 
-* `added` UTF-8 support when generating a CSR subject using forge - [RFC 5280](https://tools.ietf.org/html/rfc5280)
-* `fixed` Implement `POST-as-GET` for all ACME API requests - [RFC 8555 Section 6.3](https://tools.ietf.org/html/rfc8555#section-6.3)
+* `added` UTF-8 support when generating a CSR subject using forge - [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280)
+* `fixed` Implement `POST-as-GET` for all ACME API requests - [RFC 8555 Section 6.3](https://datatracker.ietf.org/doc/html/rfc8555#section-6.3)
 
 ## v2.3.0 (2019-08-21)
 
@@ -201,7 +385,7 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 
 ## v2.0.1 (2018-08-17)
 
-* `fixed` Key rollover in compliance with [draft-ietf-acme-13](https://tools.ietf.org/html/draft-ietf-acme-acme-13)
+* `fixed` Key rollover in compliance with [draft-ietf-acme-13](https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-13)
 
 ## v2.0.0 (2018-04-02)
 

packages/core/acme-client/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2017-2022 Publish Lab
+Copyright (c) 2017-2024 Labrador CMS AS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

packages/core/acme-client/README.md

@@ -1,32 +1,23 @@
-# acme-client [![CircleCI](https://circleci.com/gh/publishlab/node-acme-client.svg?style=svg)](https://circleci.com/gh/publishlab/node-acme-client)
+# acme-client [![test](https://github.com/publishlab/node-acme-client/actions/workflows/tests.yml/badge.svg)](https://github.com/publishlab/node-acme-client/actions/workflows/tests.yml)
 
 *A simple and unopinionated ACME client.*
 
 This module is written to handle communication with a Boulder/Let's Encrypt-style ACME API.
 
-* RFC 8555 - Automatic Certificate Management Environment (ACME): [https://tools.ietf.org/html/rfc8555](https://tools.ietf.org/html/rfc8555)
+* RFC 8555 - Automatic Certificate Management Environment (ACME): [https://datatracker.ietf.org/doc/html/rfc8555](https://datatracker.ietf.org/doc/html/rfc8555)
 * Boulder divergences from ACME: [https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md](https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md)
 
+## Compatibility
 
-## Important upgrade notice
+| acme-client | Node.js |                                           |
+| ----------- | ------- | ----------------------------------------- |
+| v5.x        | >= v16  | [Upgrade guide](docs/upgrade-v5.md)       |
+| v4.x        | >= v10  | [Changelog](CHANGELOG.md#v400-2020-05-29) |
+| v3.x        | >= v8   | [Changelog](CHANGELOG.md#v300-2019-07-13) |
+| v2.x        | >= v4   | [Changelog](CHANGELOG.md#v200-2018-04-02) |
+| v1.x        | >= v4   | [Changelog](CHANGELOG.md#v100-2017-10-20) |
 
-On September 15, 2022, Let's Encrypt will stop accepting Certificate Signing Requests signed using the obsolete SHA-1 hash. This change affects all `acme-client` versions lower than `3.3.2` and `4.2.4`. Please upgrade ASAP to ensure that your certificates can still be issued following this date.
-
-A more detailed explanation can be found [at the Let's Encrypt forums](https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls/175144).
-
-
-### Compatibility
-
-| acme-client   | Node.js   |                                           |
-| ------------- | --------- | ----------------------------------------- |
-| v5.x          | >= v16    | [Upgrade guide](docs/upgrade-v5.md)       |
-| v4.x          | >= v10    | [Changelog](CHANGELOG.md#v400-2020-05-29) |
-| v3.x          | >= v8     | [Changelog](CHANGELOG.md#v300-2019-07-13) |
-| v2.x          | >= v4     | [Changelog](CHANGELOG.md#v200-2018-04-02) |
-| v1.x          | >= v4     | [Changelog](CHANGELOG.md#v100-2017-10-20) |
-
-
-### Table of contents
+## Table of contents
 
 * [Installation](#installation)
 * [Usage](#usage)
@@ -43,14 +34,12 @@ A more detailed explanation can be found [at the Let's Encrypt forums](https://c
 * [Debugging](#debugging)
 * [License](#license)
 
-
 ## Installation
 
 ```bash
 $ npm install acme-client
 ```
 
-
 ## Usage
 
 ```js
@@ -60,27 +49,28 @@ const accountPrivateKey = '<PEM encoded private key>';
 
 const client = new acme.Client({
     directoryUrl: acme.directory.letsencrypt.staging,
-    accountKey: accountPrivateKey
+    accountKey: accountPrivateKey,
 });
 ```
 
-
 ### Directory URLs
 
 ```js
 acme.directory.buypass.staging;
 acme.directory.buypass.production;
 
+acme.directory.google.staging;
+acme.directory.google.production;
+
 acme.directory.letsencrypt.staging;
 acme.directory.letsencrypt.production;
 
 acme.directory.zerossl.production;
 ```
 
-
 ### External account binding
 
-To enable [external account binding](https://tools.ietf.org/html/rfc8555#section-7.3.4) when creating your ACME account, provide your KID and HMAC key to the client constructor.
+To enable [external account binding](https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4) when creating your ACME account, provide your KID and HMAC key to the client constructor.
 
 ```js
 const client = new acme.Client({
@@ -88,12 +78,11 @@ const client = new acme.Client({
     accountKey: accountPrivateKey,
     externalAccountBinding: {
         kid: 'YOUR-EAB-KID',
-        hmacKey: 'YOUR-EAB-HMAC-KEY'
-    }
+        hmacKey: 'YOUR-EAB-HMAC-KEY',
+    },
 });
 ```
 
-
 ### Specifying the account URL
 
 During the ACME account creation process, the server will check the supplied account key and either create a new account if the key is unused, or return the existing ACME account bound to that key.
@@ -104,7 +93,7 @@ In some cases, for example with some EAB providers, this account creation step m
 const client = new acme.Client({
     directoryUrl: acme.directory.letsencrypt.staging,
     accountKey: accountPrivateKey,
-    accountUrl: 'https://acme-v02.api.letsencrypt.org/acme/acct/12345678'
+    accountUrl: 'https://acme-v02.api.letsencrypt.org/acme/acct/12345678',
 });
 ```
 
@@ -114,41 +103,37 @@ You can fetch the clients current account URL, either after creating an account
 const myAccountUrl = client.getAccountUrl();
 ```
 
-
 ## Cryptography
 
-For key pairs `acme-client` utilizes native Node.js cryptography APIs, supporting signing and generation of both RSA and ECDSA keys. The module [jsrsasign](https://www.npmjs.com/package/jsrsasign) is used to generate and parse Certificate Signing Requests.
+For key pairs `acme-client` utilizes native Node.js cryptography APIs, supporting signing and generation of both RSA and ECDSA keys. The module [@peculiar/x509](https://www.npmjs.com/package/@peculiar/x509) is used to generate and parse Certificate Signing Requests.
 
 These utility methods are exposed through `.crypto`.
 
-* __Documentation: [docs/crypto.md](docs/crypto.md)__
+* **Documentation: [docs/crypto.md](docs/crypto.md)**
 
 ```js
 const privateRsaKey = await acme.crypto.createPrivateRsaKey();
 const privateEcdsaKey = await acme.crypto.createPrivateEcdsaKey();
 
 const [certificateKey, certificateCsr] = await acme.crypto.createCsr({
-    commonName: '*.example.com',
-    altNames: ['example.com']
+    altNames: ['example.com', '*.example.com'],
 });
 ```
 
-
 ### Legacy `.forge` interface
 
 The legacy `node-forge` crypto interface is still available for backward compatibility, however this interface is now considered deprecated and will be removed in a future major version of `acme-client`.
 
 You should consider migrating to the new `.crypto` API at your earliest convenience. More details can be found in the [acme-client v5 upgrade guide](docs/upgrade-v5.md).
 
-* __Documentation: [docs/forge.md](docs/forge.md)__
-
+* **Documentation: [docs/forge.md](docs/forge.md)**
 
 ## Auto mode
 
 For convenience an `auto()` method is included in the client that takes a single config object. This method will handle the entire process of getting a certificate for one or multiple domains.
 
-* __Documentation: [docs/client.md#AcmeClient+auto](docs/client.md#AcmeClient+auto)__
-* __Full example: [examples/auto.js](examples/auto.js)__
+* **Documentation: [docs/client.md#AcmeClient+auto](docs/client.md#AcmeClient+auto)**
+* **Full example: [examples/auto.js](examples/auto.js)**
 
 ```js
 const autoOpts = {
@@ -156,29 +141,27 @@ const autoOpts = {
     email: 'test@example.com',
     termsOfServiceAgreed: true,
     challengeCreateFn: async (authz, challenge, keyAuthorization) => {},
-    challengeRemoveFn: async (authz, challenge, keyAuthorization) => {}
+    challengeRemoveFn: async (authz, challenge, keyAuthorization) => {},
 };
 
 const certificate = await client.auto(autoOpts);
 ```
 
-
 ### Challenge priority
 
 When ordering a certificate using auto mode, `acme-client` uses a priority list when selecting challenges to respond to. Its default value is `['http-01', 'dns-01']` which translates to "use `http-01` if any challenges exist, otherwise fall back to `dns-01`".
 
-While most challenges can be validated using the method of your choosing, please note that __wildcard certificates can only be validated through `dns-01`__. More information regarding Let's Encrypt challenge types [can be found here](https://letsencrypt.org/docs/challenge-types/).
+While most challenges can be validated using the method of your choosing, please note that **wildcard certificates can only be validated through `dns-01`**. More information regarding Let's Encrypt challenge types [can be found here](https://letsencrypt.org/docs/challenge-types/).
 
 To modify challenge priority, provide a list of challenge types in `challengePriority`:
 
 ```js
 await client.auto({
     ...,
-    challengePriority: ['http-01', 'dns-01']
+    challengePriority: ['http-01', 'dns-01'],
 });
 ```
 
-
 ### Internal challenge verification
 
 When using auto mode, `acme-client` will first validate that challenges are satisfied internally before completing the challenge at the ACME provider. In some cases (firewalls, etc) this internal challenge verification might not be possible to complete.
@@ -190,33 +173,31 @@ To completely disable `acme-client`s internal challenge verification, enable `sk
 ```js
 await client.auto({
     ...,
-    skipChallengeVerification: true
+    skipChallengeVerification: true,
 });
 ```
 
-
 ## API
 
 For more fine-grained control you can interact with the ACME API using the methods documented below.
 
-* __Documentation: [docs/client.md](docs/client.md)__
-* __Full example: [examples/api.js](examples/api.js)__
+* **Documentation: [docs/client.md](docs/client.md)**
+* **Full example: [examples/api.js](examples/api.js)**
 
 ```js
 const account = await client.createAccount({
     termsOfServiceAgreed: true,
-    contact: ['mailto:test@example.com']
+    contact: ['mailto:test@example.com'],
 });
 
 const order = await client.createOrder({
     identifiers: [
         { type: 'dns', value: 'example.com' },
-        { type: 'dns', value: '*.example.com' }
-    ]
+        { type: 'dns', value: '*.example.com' },
+    ],
 });
 ```
 
-
 ## HTTP client defaults
 
 This module uses [axios](https://github.com/axios/axios) when communicating with the ACME HTTP API, and exposes the client instance through `.axios`.
@@ -228,7 +209,7 @@ const acme = require('acme-client');
 
 acme.axios.defaults.proxy = {
     host: '127.0.0.1',
-    port: 9000
+    port: 9000,
 };
 ```
 
@@ -237,7 +218,6 @@ A complete list of axios options and documentation can be found at:
 * [https://github.com/axios/axios#request-config](https://github.com/axios/axios#request-config)
 * [https://github.com/axios/axios#custom-instance-defaults](https://github.com/axios/axios#custom-instance-defaults)
 
-
 ## Debugging
 
 To get a better grasp of what `acme-client` is doing behind the scenes, you can either pass it a logger function, or enable debugging through an environment variable.
@@ -256,7 +236,6 @@ Debugging to the console can also be enabled through [debug](https://www.npmjs.c
 DEBUG=acme-client node index.js
 ```
 
-
 ## License
 
 [MIT](LICENSE)

packages/core/acme-client/build.md

@@ -1 +1 @@
-09:16
+20:55

packages/core/acme-client/docs/client.md

@@ -63,7 +63,7 @@ Create ACME client instance
 ```js
 const client = new acme.Client({
     directoryUrl: acme.directory.letsencrypt.staging,
-    accountKey: 'Private key goes here'
+    accountKey: 'Private key goes here',
 });
 ```
 **Example**  
@@ -75,7 +75,7 @@ const client = new acme.Client({
     accountUrl: 'Optional account URL goes here',
     backoffAttempts: 10,
     backoffMin: 5000,
-    backoffMax: 30000
+    backoffMax: 30000,
 });
 ```
 **Example**  
@@ -86,8 +86,8 @@ const client = new acme.Client({
     accountKey: 'Private key goes here',
     externalAccountBinding: {
         kid: 'YOUR-EAB-KID',
-        hmacKey: 'YOUR-EAB-HMAC-KEY'
-    }
+        hmacKey: 'YOUR-EAB-HMAC-KEY',
+    },
 });
 ```
 <a name="AcmeClient+getTermsOfServiceUrl"></a>
@@ -132,7 +132,7 @@ catch (e) {
 ### acmeClient.createAccount([data]) ⇒ <code>Promise.&lt;object&gt;</code>
 Create a new account
 
-https://tools.ietf.org/html/rfc8555#section-7.3
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Account  
@@ -145,7 +145,7 @@ https://tools.ietf.org/html/rfc8555#section-7.3
 Create a new account
 ```js
 const account = await client.createAccount({
-    termsOfServiceAgreed: true
+    termsOfServiceAgreed: true,
 });
 ```
 **Example**  
@@ -153,7 +153,7 @@ Create a new account with contact info
 ```js
 const account = await client.createAccount({
     termsOfServiceAgreed: true,
-    contact: ['mailto:test@example.com']
+    contact: ['mailto:test@example.com'],
 });
 ```
 <a name="AcmeClient+updateAccount"></a>
@@ -161,7 +161,7 @@ const account = await client.createAccount({
 ### acmeClient.updateAccount([data]) ⇒ <code>Promise.&lt;object&gt;</code>
 Update existing account
 
-https://tools.ietf.org/html/rfc8555#section-7.3.2
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Account  
@@ -174,7 +174,7 @@ https://tools.ietf.org/html/rfc8555#section-7.3.2
 Update existing account
 ```js
 const account = await client.updateAccount({
-    contact: ['mailto:foo@example.com']
+    contact: ['mailto:foo@example.com'],
 });
 ```
 <a name="AcmeClient+updateAccountKey"></a>
@@ -182,7 +182,7 @@ const account = await client.updateAccount({
 ### acmeClient.updateAccountKey(newAccountKey, [data]) ⇒ <code>Promise.&lt;object&gt;</code>
 Update account private key
 
-https://tools.ietf.org/html/rfc8555#section-7.3.5
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Account  
@@ -203,7 +203,7 @@ const result = await client.updateAccountKey(newAccountKey);
 ### acmeClient.createOrder(data) ⇒ <code>Promise.&lt;object&gt;</code>
 Create a new order
 
-https://tools.ietf.org/html/rfc8555#section-7.4
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Order  
@@ -218,8 +218,8 @@ Create a new order
 const order = await client.createOrder({
     identifiers: [
         { type: 'dns', value: 'example.com' },
-        { type: 'dns', value: 'test.example.com' }
-    ]
+        { type: 'dns', value: 'test.example.com' },
+    ],
 });
 ```
 <a name="AcmeClient+getOrder"></a>
@@ -227,7 +227,7 @@ const order = await client.createOrder({
 ### acmeClient.getOrder(order) ⇒ <code>Promise.&lt;object&gt;</code>
 Refresh order object from CA
 
-https://tools.ietf.org/html/rfc8555#section-7.4
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Order  
@@ -246,7 +246,7 @@ const result = await client.getOrder(order);
 ### acmeClient.finalizeOrder(order, csr) ⇒ <code>Promise.&lt;object&gt;</code>
 Finalize order
 
-https://tools.ietf.org/html/rfc8555#section-7.4
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Order  
@@ -268,7 +268,7 @@ const result = await client.finalizeOrder(order, csr);
 ### acmeClient.getAuthorizations(order) ⇒ <code>Promise.&lt;Array.&lt;object&gt;&gt;</code>
 Get identifier authorizations from order
 
-https://tools.ietf.org/html/rfc8555#section-7.5
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;Array.&lt;object&gt;&gt;</code> - Authorizations  
@@ -292,7 +292,7 @@ authorizations.forEach((authz) => {
 ### acmeClient.deactivateAuthorization(authz) ⇒ <code>Promise.&lt;object&gt;</code>
 Deactivate identifier authorization
 
-https://tools.ietf.org/html/rfc8555#section-7.5.2
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Authorization  
@@ -312,7 +312,7 @@ const result = await client.deactivateAuthorization(authz);
 ### acmeClient.getChallengeKeyAuthorization(challenge) ⇒ <code>Promise.&lt;string&gt;</code>
 Get key authorization for ACME challenge
 
-https://tools.ietf.org/html/rfc8555#section-8.1
+https://datatracker.ietf.org/doc/html/rfc8555#section-8.1
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;string&gt;</code> - Key authorization  
@@ -353,7 +353,7 @@ await client.verifyChallenge(authz, challenge);
 ### acmeClient.completeChallenge(challenge) ⇒ <code>Promise.&lt;object&gt;</code>
 Notify CA that challenge has been completed
 
-https://tools.ietf.org/html/rfc8555#section-7.5.1
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Challenge  
@@ -373,7 +373,7 @@ const result = await client.completeChallenge(challenge);
 ### acmeClient.waitForValidStatus(item) ⇒ <code>Promise.&lt;object&gt;</code>
 Wait for ACME provider to verify status on a order, authorization or challenge
 
-https://tools.ietf.org/html/rfc8555#section-7.5.1
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - Valid order, authorization or challenge  
@@ -389,7 +389,7 @@ const challenge = { ... };
 await client.waitForValidStatus(challenge);
 ```
 **Example**  
-Wait for valid authoriation status
+Wait for valid authorization status
 ```js
 const authz = { ... };
 await client.waitForValidStatus(authz);
@@ -405,7 +405,7 @@ await client.waitForValidStatus(order);
 ### acmeClient.getCertificate(order, [preferredChain]) ⇒ <code>Promise.&lt;string&gt;</code>
 Get certificate from ACME order
 
-https://tools.ietf.org/html/rfc8555#section-7.4.2
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 **Returns**: <code>Promise.&lt;string&gt;</code> - Certificate  
@@ -432,7 +432,7 @@ const certificate = await client.getCertificate(order, 'DST Root CA X3');
 ### acmeClient.revokeCertificate(cert, [data]) ⇒ <code>Promise</code>
 Revoke certificate
 
-https://tools.ietf.org/html/rfc8555#section-7.6
+https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
 
 **Kind**: instance method of [<code>AcmeClient</code>](#AcmeClient)  
 
@@ -452,7 +452,7 @@ Revoke certificate with reason
 ```js
 const certificate = { ... }; // Previously created certificate
 const result = await client.revokeCertificate(certificate, {
-    reason: 4
+    reason: 4,
 });
 ```
 <a name="AcmeClient+auto"></a>
@@ -479,7 +479,7 @@ Auto mode
 Order a certificate using auto mode
 ```js
 const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 });
 
 const certificate = await client.auto({
@@ -491,14 +491,14 @@ const certificate = await client.auto({
     },
     challengeRemoveFn: async (authz, challenge, keyAuthorization) => {
         // Clean up challenge here
-    }
+    },
 });
 ```
 **Example**  
 Order a certificate using auto mode with preferred chain
 ```js
 const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 });
 
 const certificate = await client.auto({
@@ -507,7 +507,7 @@ const certificate = await client.auto({
     termsOfServiceAgreed: true,
     preferredChain: 'DST Root CA X3',
     challengeCreateFn: async () => {},
-    challengeRemoveFn: async () => {}
+    challengeRemoveFn: async () => {},
 });
 ```
 <a name="Client"></a>

packages/core/acme-client/docs/crypto.md

@@ -25,7 +25,7 @@
 <dd><p>Get a JSON Web Key derived from a RSA or ECDSA key</p>
 <p><a href="https://datatracker.ietf.org/doc/html/rfc7517">https://datatracker.ietf.org/doc/html/rfc7517</a></p>
 </dd>
-<dt><a href="#splitPemChain">splitPemChain(chainPem)</a> ⇒ <code>array</code></dt>
+<dt><a href="#splitPemChain">splitPemChain(chainPem)</a> ⇒ <code>Array.&lt;string&gt;</code></dt>
 <dd><p>Split chain of PEM encoded objects from string into array</p>
 </dd>
 <dt><a href="#getPemBodyAsB64u">getPemBodyAsB64u(pem)</a> ⇒ <code>string</code></dt>
@@ -42,6 +42,13 @@ If multiple certificates are chained, the first will be read</p>
 <dt><a href="#createCsr">createCsr(data, [keyPem])</a> ⇒ <code>Promise.&lt;Array.&lt;buffer&gt;&gt;</code></dt>
 <dd><p>Create a Certificate Signing Request</p>
 </dd>
+<dt><a href="#createAlpnCertificate">createAlpnCertificate(authz, keyAuthorization, [keyPem])</a> ⇒ <code>Promise.&lt;Array.&lt;buffer&gt;&gt;</code></dt>
+<dd><p>Create a self-signed ALPN certificate for TLS-ALPN-01 challenges</p>
+<p><a href="https://datatracker.ietf.org/doc/html/rfc8737">https://datatracker.ietf.org/doc/html/rfc8737</a></p>
+</dd>
+<dt><a href="#isAlpnCertificateAuthorizationValid">isAlpnCertificateAuthorizationValid(certPem, keyAuthorization)</a> ⇒ <code>boolean</code></dt>
+<dd><p>Validate that a ALPN certificate contains the expected key authorization</p>
+</dd>
 </dl>
 
 <a name="crypto"></a>
@@ -138,11 +145,11 @@ const jwk = acme.crypto.getJwk(privateKey);
 ```
 <a name="splitPemChain"></a>
 
-## splitPemChain(chainPem) ⇒ <code>array</code>
+## splitPemChain(chainPem) ⇒ <code>Array.&lt;string&gt;</code>
 Split chain of PEM encoded objects from string into array
 
 **Kind**: global function  
-**Returns**: <code>array</code> - Array of PEM objects including headers  
+**Returns**: <code>Array.&lt;string&gt;</code> - Array of PEM objects including headers  
 
 | Param | Type | Description |
 | --- | --- | --- |
@@ -219,42 +226,43 @@ Create a Certificate Signing Request
 | data | <code>object</code> |  |
 | [data.keySize] | <code>number</code> | Size of newly created RSA private key modulus in bits, default: `2048` |
 | [data.commonName] | <code>string</code> | FQDN of your server |
-| [data.altNames] | <code>array</code> | SAN (Subject Alternative Names), default: `[]` |
+| [data.altNames] | <code>Array.&lt;string&gt;</code> | SAN (Subject Alternative Names), default: `[]` |
 | [data.country] | <code>string</code> | 2 letter country code |
 | [data.state] | <code>string</code> | State or province |
 | [data.locality] | <code>string</code> | City |
 | [data.organization] | <code>string</code> | Organization name |
 | [data.organizationUnit] | <code>string</code> | Organizational unit name |
 | [data.emailAddress] | <code>string</code> | Email address |
-| [keyPem] | <code>string</code> | PEM encoded CSR private key |
+| [keyPem] | <code>buffer</code> \| <code>string</code> | PEM encoded CSR private key |
 
 **Example**  
 Create a Certificate Signing Request
 ```js
 const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 });
 ```
 **Example**  
 Certificate Signing Request with both common and alternative names
+> *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
 ```js
 const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
     keySize: 4096,
     commonName: 'test.example.com',
-    altNames: ['foo.example.com', 'bar.example.com']
+    altNames: ['foo.example.com', 'bar.example.com'],
 });
 ```
 **Example**  
 Certificate Signing Request with additional information
 ```js
 const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-    commonName: 'test.example.com',
+    altNames: ['test.example.com'],
     country: 'US',
     state: 'California',
     locality: 'Los Angeles',
     organization: 'The Company Inc.',
     organizationUnit: 'IT Department',
-    emailAddress: 'contact@example.com'
+    emailAddress: 'contact@example.com',
 });
 ```
 **Example**  
@@ -263,5 +271,46 @@ Certificate Signing Request with ECDSA private key
 const certificateKey = await acme.crypto.createPrivateEcdsaKey();
 
 const [, certificateRequest] = await acme.crypto.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 }, certificateKey);
+```
+<a name="createAlpnCertificate"></a>
+
+## createAlpnCertificate(authz, keyAuthorization, [keyPem]) ⇒ <code>Promise.&lt;Array.&lt;buffer&gt;&gt;</code>
+Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
+
+https://datatracker.ietf.org/doc/html/rfc8737
+
+**Kind**: global function  
+**Returns**: <code>Promise.&lt;Array.&lt;buffer&gt;&gt;</code> - [privateKey, certificate]  
+
+| Param | Type | Description |
+| --- | --- | --- |
+| authz | <code>object</code> | Identifier authorization |
+| keyAuthorization | <code>string</code> | Challenge key authorization |
+| [keyPem] | <code>buffer</code> \| <code>string</code> | PEM encoded CSR private key |
+
+**Example**  
+Create a ALPN certificate
+```js
+const [alpnKey, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
+```
+**Example**  
+Create a ALPN certificate with ECDSA private key
+```js
+const alpnKey = await acme.crypto.createPrivateEcdsaKey();
+const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
+```
+<a name="isAlpnCertificateAuthorizationValid"></a>
+
+## isAlpnCertificateAuthorizationValid(certPem, keyAuthorization) ⇒ <code>boolean</code>
+Validate that a ALPN certificate contains the expected key authorization
+
+**Kind**: global function  
+**Returns**: <code>boolean</code> - True when valid  
+
+| Param | Type | Description |
+| --- | --- | --- |
+| certPem | <code>buffer</code> \| <code>string</code> | PEM encoded certificate |
+| keyAuthorization | <code>string</code> | Expected challenge key authorization |
+

packages/core/acme-client/docs/forge.md

@@ -209,7 +209,7 @@ Create a Certificate Signing Request
 | data | <code>object</code> |  |
 | [data.keySize] | <code>number</code> | Size of newly created private key, default: `2048` |
 | [data.commonName] | <code>string</code> |  |
-| [data.altNames] | <code>array</code> | default: `[]` |
+| [data.altNames] | <code>Array.&lt;string&gt;</code> | default: `[]` |
 | [data.country] | <code>string</code> |  |
 | [data.state] | <code>string</code> |  |
 | [data.locality] | <code>string</code> |  |
@@ -222,29 +222,30 @@ Create a Certificate Signing Request
 Create a Certificate Signing Request
 ```js
 const [certificateKey, certificateRequest] = await acme.forge.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 });
 ```
 **Example**  
 Certificate Signing Request with both common and alternative names
+> *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
 ```js
 const [certificateKey, certificateRequest] = await acme.forge.createCsr({
     keySize: 4096,
     commonName: 'test.example.com',
-    altNames: ['foo.example.com', 'bar.example.com']
+    altNames: ['foo.example.com', 'bar.example.com'],
 });
 ```
 **Example**  
 Certificate Signing Request with additional information
 ```js
 const [certificateKey, certificateRequest] = await acme.forge.createCsr({
-    commonName: 'test.example.com',
+    altNames: ['test.example.com'],
     country: 'US',
     state: 'California',
     locality: 'Los Angeles',
     organization: 'The Company Inc.',
     organizationUnit: 'IT Department',
-    emailAddress: 'contact@example.com'
+    emailAddress: 'contact@example.com',
 });
 ```
 **Example**  
@@ -253,5 +254,5 @@ Certificate Signing Request with predefined private key
 const certificateKey = await acme.forge.createPrivateKey();
 
 const [, certificateRequest] = await acme.forge.createCsr({
-    commonName: 'test.example.com'
+    altNames: ['test.example.com'],
 }, certificateKey);

packages/core/acme-client/docs/upgrade-v5.md

@@ -4,10 +4,9 @@ This document outlines the breaking changes introduced in v5 of `acme-client`, w
 
 First off this release drops support for Node LTS v10, v12 and v14, and the reason for that is a new native crypto interface - more on that below. Since Node v14 is still currently in maintenance mode, `acme-client` v4 will continue to receive security updates and bugfixes until (at least) Node v14 reaches its end-of-line.
 
-
 ## New native crypto interface
 
-A new crypto interface has been introduced with v5, which you can find under `acme.crypto`. It uses native Node.js cryptography APIs to generate private keys, JSON Web Keys and signatures, and finally enables support for ECC/ECDSA (P-256, P384 and P521), both for account private keys and certificates. The [jsrsasign](https://www.npmjs.com/package/jsrsasign) module is used to handle generation and parsing of Certificate Signing Requests.
+A new crypto interface has been introduced with v5, which you can find under `acme.crypto`. It uses native Node.js cryptography APIs to generate private keys, JSON Web Keys and signatures, and finally enables support for ECC/ECDSA (P-256, P384 and P521), both for account private keys and certificates. The [@peculiar/x509](https://www.npmjs.com/package/@peculiar/x509) module is used to handle generation and parsing of Certificate Signing Requests.
 
 Full documentation of `acme.crypto` can be [found here](crypto.md).
 
@@ -17,9 +16,9 @@ Below you will find a table summarizing the current `acme.forge` methods, and th
 
 *Note: The now deprecated `acme.forge` interface is still available for use in v5, and will not be removed until a future major version, most likely v6. Should you not wish to change to the new interface right away, the following breaking changes will not immediately affect you.*
 
-- :green_circle: = API functionality unchanged between `acme.forge` and `acme.crypto`
-- :orange_circle: = Slight API changes, like depromising or renaming, action may be required
-- :red_circle: = Breaking API changes or removal, action required if using these methods
+* :green_circle: = API functionality unchanged between `acme.forge` and `acme.crypto`
+* :orange_circle: = Slight API changes, like depromising or renaming, action may be required
+* :red_circle: = Breaking API changes or removal, action required if using these methods
 
 | Deprecated `.forge` API       | New `.crypto` API             | State                 |
 | ----------------------------- | ----------------------------- | --------------------- |
@@ -33,7 +32,6 @@ Below you will find a table summarizing the current `acme.forge` methods, and th
 | `await readCertificateInfo()` | `readCertificateInfo()`       | :orange_circle:   (4) |
 | `await createCsr()`           | `await createCsr()`           | :green_circle:        |
 
-
 ### 1. `createPublicKey` renamed and depromised
 
 * The method `createPublicKey()` has been renamed to `getPublicKey()`
@@ -49,7 +47,6 @@ const publicKey = await acme.forge.createPublicKey(privateKey);
 const publicKey = acme.crypto.getPublicKey(privateKey);
 ```
 
-
 ### 2. `getPemBody` renamed, now returns Base64URL
 
 * Method `getPemBody()` has been renamed to `getPemBodyAsB64u()`
@@ -64,7 +61,6 @@ const body = acme.forge.getPemBody(pem);
 const body = acme.crypto.getPemBodyAsB64u(pem);
 ```
 
-
 ### 3. `getModulus` and `getPublicExponent` merged into `getJwk`
 
 * Methods `getModulus()` and `getPublicExponent()` have been removed
@@ -80,7 +76,6 @@ const exp = await acme.forge.getPublicExponent(key);
 const { e, n } = acme.crypto.getJwk(key);
 ```
 
-
 ### 4. `readCsrDomains` and `readCertificateInfo` depromised
 
 * Methods `readCsrDomains()` and `readCertificateInfo()` no longer return promises, but their resulting payloads directly

packages/core/acme-client/examples/README.md

@@ -0,0 +1,19 @@
+# Disclaimer
+
+These examples should not be used as is for any production environment, as they are just proof of concepts meant for testing and to get you started. The examples are naively written and purposefully avoids important topics since they will be specific to your application and how you choose to use `acme-client`, like for example:
+
+1. **Concurrency control**
+    * If implementing on-demand certificate generation
+    * What happens when multiple requests hit your domain at the same time?
+    * Ensure your application does not place multiple cert orders for the same domain at the same time by implementing some sort of exclusive lock
+2. **Domain allow lists**
+    * If implementing on-demand certificate generation
+    * What happens when someone manipulates the `ServerName` or `Host` header to your service?
+    * Ensure your application is unable to place certificate orders for domains you do not intend, as this can quickly rate limit your account and cause a DoS
+3. **Clustering**
+    * If using `acme-client` across a cluster of servers
+    * Ensure challenge responses are known to all servers in your cluster, perhaps using a database or shared storage
+4. **Certificate and key storage**
+    * Where and how should the account key be stored and read?
+    * Where and how should certificates and cert keys be stored and read?
+    * How and when should they be renewed?

packages/core/acme-client/examples/api.js

@@ -4,12 +4,10 @@
 
 const acme = require('./../');
 
-
 function log(m) {
     process.stdout.write(`${m}\n`);
 }
 
-
 /**
  * Function used to satisfy an ACME challenge
  *
@@ -26,7 +24,6 @@ async function challengeCreateFn(authz, challenge, keyAuthorization) {
     log(keyAuthorization);
 }
 
-
 /**
  * Function used to remove an ACME challenge response
  *
@@ -42,30 +39,29 @@ async function challengeRemoveFn(authz, challenge, keyAuthorization) {
     log(keyAuthorization);
 }
 
-
 /**
  * Main
  */
 
-module.exports = async function() {
+module.exports = async () => {
     /* Init client */
     const client = new acme.Client({
         directoryUrl: acme.directory.letsencrypt.staging,
-        accountKey: await acme.crypto.createPrivateKey()
+        accountKey: await acme.crypto.createPrivateKey(),
     });
 
     /* Register account */
     await client.createAccount({
         termsOfServiceAgreed: true,
-        contact: ['mailto:test@example.com']
+        contact: ['mailto:test@example.com'],
     });
 
     /* Place new order */
     const order = await client.createOrder({
         identifiers: [
             { type: 'dns', value: 'example.com' },
-            { type: 'dns', value: '*.example.com' }
-        ]
+            { type: 'dns', value: '*.example.com' },
+        ],
     });
 
     /**
@@ -139,8 +135,7 @@ module.exports = async function() {
 
     /* Finalize order */
     const [key, csr] = await acme.crypto.createCsr({
-        commonName: '*.example.com',
-        altNames: ['example.com']
+        altNames: ['example.com', '*.example.com'],
     });
 
     const finalized = await client.finalizeOrder(order, csr);

packages/core/acme-client/examples/auto.js

@@ -5,12 +5,10 @@
 // const fs = require('fs').promises;
 const acme = require('./../');
 
-
 function log(m) {
     process.stdout.write(`${m}\n`);
 }
 
-
 /**
  * Function used to satisfy an ACME challenge
  *
@@ -48,7 +46,6 @@ async function challengeCreateFn(authz, challenge, keyAuthorization) {
     }
 }
 
-
 /**
  * Function used to remove an ACME challenge response
  *
@@ -81,25 +78,24 @@ async function challengeRemoveFn(authz, challenge, keyAuthorization) {
 
         /* Replace this */
         log(`Would remove TXT record "${dnsRecord}" with value "${recordValue}"`);
-        // await dnsProvider.removeRecord(dnsRecord, 'TXT');
+        // await dnsProvider.removeRecord(dnsRecord, 'TXT', recordValue);
     }
 }
 
-
 /**
  * Main
  */
 
-module.exports = async function() {
+module.exports = async () => {
     /* Init client */
     const client = new acme.Client({
         directoryUrl: acme.directory.letsencrypt.staging,
-        accountKey: await acme.crypto.createPrivateKey()
+        accountKey: await acme.crypto.createPrivateKey(),
     });
 
     /* Create CSR */
     const [key, csr] = await acme.crypto.createCsr({
-        commonName: 'example.com'
+        altNames: ['example.com'],
     });
 
     /* Certificate */
@@ -108,7 +104,7 @@ module.exports = async function() {
         email: 'test@example.com',
         termsOfServiceAgreed: true,
         challengeCreateFn,
-        challengeRemoveFn
+        challengeRemoveFn,
     });
 
     /* Done */

packages/core/acme-client/examples/dns-01/README.md

@@ -0,0 +1,21 @@
+# dns-01
+
+The greatest benefit of `dns-01` is that it is the only challenge type that can be used to issue ACME wildcard certificates, however it also has a few downsides. Your DNS provider needs to offer some sort of API you can use to automate adding and removing the required `TXT` DNS records. Additionally, solving DNS challenges will be much slower than the other challenge types because of DNS propagation delays.
+
+## How it works
+
+When solving `dns-01` challenges, you prove ownership of a domain by serving a specific payload within a specific DNS `TXT` record from the domains authoritative nameservers. The ACME authority provides the client with a token that, along with a thumbprint of your account key, is used to generate a `base64url` encoded `SHA256` digest. This payload is then placed as a `TXT` record under DNS name `_acme-challenge.$YOUR_DOMAIN`.
+
+Once the order is finalized, the ACME authority will lookup your domains DNS record to verify that the payload is correct. `CNAME` and `NS` records are followed, should you wish to delegate challenge response to another DNS zone or record.
+
+## Pros and cons
+
+* Only challenge type that can be used to issue wildcard certificates
+* Your DNS provider needs to supply an API that can be used
+* DNS propagation time may be slow
+* Useful in instances where both port 80 and 443 are unavailable
+
+## External links
+
+* [https://letsencrypt.org/docs/challenge-types/#dns-01-challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge)
+* [https://datatracker.ietf.org/doc/html/rfc8555#section-8.4](https://datatracker.ietf.org/doc/html/rfc8555#section-8.4)

packages/core/acme-client/examples/dns-01/dns-01.js

@@ -0,0 +1,88 @@
+/**
+ * Example using dns-01 challenge to generate certificates
+ *
+ * NOTE: This example is incomplete as the DNS challenge response implementation
+ * will be specific to your DNS providers API.
+ *
+ * NOTE: This example does not order certificates on-demand, as solving dns-01
+ * will likely be too slow for it to make sense. Instead, it orders a wildcard
+ * certificate on init before starting the HTTPS server as a demonstration.
+ */
+
+const https = require('https');
+const acme = require('./../../');
+
+const HTTPS_SERVER_PORT = 443;
+const WILDCARD_DOMAIN = 'example.com';
+
+function log(m) {
+    process.stdout.write(`${(new Date()).toISOString()} ${m}\n`);
+}
+
+/**
+ * Main
+ */
+
+(async () => {
+    try {
+        /**
+         * Initialize ACME client
+         */
+
+        log('Initializing ACME client');
+        const client = new acme.Client({
+            directoryUrl: acme.directory.letsencrypt.staging,
+            accountKey: await acme.crypto.createPrivateKey(),
+        });
+
+        /**
+         * Order wildcard certificate
+         */
+
+        log(`Creating CSR for ${WILDCARD_DOMAIN}`);
+        const [key, csr] = await acme.crypto.createCsr({
+            altNames: [WILDCARD_DOMAIN, `*.${WILDCARD_DOMAIN}`],
+        });
+
+        log(`Ordering certificate for ${WILDCARD_DOMAIN}`);
+        const cert = await client.auto({
+            csr,
+            email: 'test@example.com',
+            termsOfServiceAgreed: true,
+            challengePriority: ['dns-01'],
+            challengeCreateFn: (authz, challenge, keyAuthorization) => {
+                /* TODO: Implement this */
+                log(`[TODO] Add TXT record key=_acme-challenge.${authz.identifier.value} value=${keyAuthorization}`);
+            },
+            challengeRemoveFn: (authz, challenge, keyAuthorization) => {
+                /* TODO: Implement this */
+                log(`[TODO] Remove TXT record key=_acme-challenge.${authz.identifier.value} value=${keyAuthorization}`);
+            },
+        });
+
+        log(`Certificate for ${WILDCARD_DOMAIN} created successfully`);
+
+        /**
+         * HTTPS server
+         */
+
+        const requestListener = (req, res) => {
+            log(`HTTP 200 ${req.headers.host}${req.url}`);
+            res.writeHead(200);
+            res.end('Hello world\n');
+        };
+
+        const httpsServer = https.createServer({
+            key,
+            cert,
+        }, requestListener);
+
+        httpsServer.listen(HTTPS_SERVER_PORT, () => {
+            log(`HTTPS server listening on port ${HTTPS_SERVER_PORT}`);
+        });
+    }
+    catch (e) {
+        log(`[FATAL] ${e.message}`);
+        process.exit(1);
+    }
+})();

packages/core/acme-client/examples/fallback.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUGwI6ZLE3HN7oRZ9BvWLde0Tsu7EwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDgwMTAwNTMzMVoXDTIyMDgz
+MTAwNTMzMVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA4c7zSiY6OEp9xYZHY42FUfOLREm03NstZhd9IxFFePwe
+CTTirJjmi5teKQwzBmEok0SJkanJUaMsMlOHjEykWSc4SBO4QjD349Q60044i9WS
+7KHzeSqpWTG+V9jF3HOJPw843VG9hXy3ulXKcysTXzumTVQwfatCODBNkpWqMju2
+N33biLgmpqwLbDSfKXS3uSVTfoHAKGT/oRepko7/0Hwr5oEmjXEbpRWRhU09KYjH
+7jokRaiQRn0h216a0r4AKzSNGihNQtKJZIuwJvLFPMQYafsu9qBaCLPqDBXCwQWG
+aYh6Cm3kTkADKzG1LVPB/7/Uh2d4Fck/ejR9qXRK3QIDAQABo1MwUTAdBgNVHQ4E
+FgQUvyceAVDMPbW7wHwNF9px5dWfgd4wHwYDVR0jBBgwFoAUvyceAVDMPbW7wHwN
+F9px5dWfgd4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaYkz
+AOHrRirPwfkwjb+uMliGHfANrmak8r5VDQA73RLTQLRhMpf1yrb1uhH7p/CUYKap
+x1C8RGQAXujoQbQOslyZA7cVLA9ASSZS6Noq7NerfGBiqxeuye+x3lIIk1EOL/rH
+aBu9rrYGmlU49PlGAQSfFHkwzXti2Mp1VQv8eMOBLR49ezZIXHiPE8S3gjNymZ0G
+UA13wzZCT7SG1BLmQ/cBVASG2wvhlC8IG/4vF0Xe+boSOb1vGWUtHS+MnvvRK4n5
+TMUtrnxSQ/LA8AtobvzqgvQVKBSPLK6RzLE7I+Q9pWsbKTBqfyStuQrQFqafBOqN
+eYfPUgiID9uvfrxLvA==
+-----END CERTIFICATE-----

packages/core/acme-client/examples/fallback.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhzvNKJjo4Sn3F
+hkdjjYVR84tESbTc2y1mF30jEUV4/B4JNOKsmOaLm14pDDMGYSiTRImRqclRoywy
+U4eMTKRZJzhIE7hCMPfj1DrTTjiL1ZLsofN5KqlZMb5X2MXcc4k/DzjdUb2FfLe6
+VcpzKxNfO6ZNVDB9q0I4ME2SlaoyO7Y3fduIuCamrAtsNJ8pdLe5JVN+gcAoZP+h
+F6mSjv/QfCvmgSaNcRulFZGFTT0piMfuOiRFqJBGfSHbXprSvgArNI0aKE1C0olk
+i7Am8sU8xBhp+y72oFoIs+oMFcLBBYZpiHoKbeROQAMrMbUtU8H/v9SHZ3gVyT96
+NH2pdErdAgMBAAECggEBAImI0FxQblOM45AkmmTDdPmWWjPspNGEWeF92wU55tOq
+0+yNnqa7tmg/6JkdyhJPqTQRoazr+ifUN/4rLDtDDzMSFVCpWihOxR2qTW4YjY52
+NjgU6EPbvSwLhUDiUplUcbrL3bnHqKSecxV2XYnKKdFudntRFPvmDL5GhWkL6Y8P
+9KiQaYuPf4av8PR0NlWBMiZs+CBjLlnSTMAWRYj5mRSyFSEOMT7+Lvr3TqrO2/nh
+0H30LXxrXXXuCbQXnVy3oSNf7TrathT2ADIrUUTdRHsLscvkEA35VtFQtWdJLtEg
+sso1J7viV9YDU4niPSdHPj3ubBjAExej4qCOzatsIQ0CgYEA8L5S3ojy89g7q6vB
+QuusIrjGkyM1yebDWqhEnjvlMpfrU1hCS90BM1ozZ28bjz/7PBimKL+A8BO+W0m4
+2s9YbZP5aGwo18Iq86XEdtDgWtQ3NXbYkb8F8LNtyevC/UlAI/xyIRr7hDYlr/1v
+jJg16DXiNLyk+uj4Q3EuwzNl8n8CgYEA8B5UUkOiufPtm+ZOq9AlBpIa+NYaahZM
+h52jzMTKsFB18xsZU/ufvpKvXEu1sTeCDRo3JAHmiA6AG292Zc7W+uWRtMtlmQWE
+wnoZ6hKvEkFnArLCY6Nm5Qqm1wipLwDVO3dD/CDL86siHrXK4wU7Q+bp6xbt8lDi
+itz5F7p7HKMCgYAoj8iimexlTU9wczXSsqaECyHZ9JrBc9ICWkuFZY4OYi5SEpLI
++WmUX2Q9zyiTkDIiQ/zq7KkqygjOlLNCmqDJhZ8GCwMupxZZitp5MmQ6qXrL1URT
++h1kGrcqyEBIMKlP5t7L2SH7eqwK5OaAh7y9bSa5v/cEF3CM3GsGlIhevQKBgBGU
+RtwW84zlnNmzDMNrY6qNe8gH9LsbktLC6cEOD0DFQz1fGIWbgGB1YL1DFbQ5uh23
+c54BPZ1sYlif2m0trXOE5xvzYCbJzqRmSAto/sQ5YY9DAxREXD4cf4ZyreAxEWtf
+Ge0VgZj/SGozKP1h3qrj9vAtJ5J79XnxH5NrJaQ9AoGBAM2rQrt8H2kizg4wMGRZ
+0G3709W7xxlbPdm+i/jFVDayJswCr0+eMm4gGyyZL3135D0fcijxytKgg3/OpOJF
+jC9vsHsE2K1ATp6eYvYjrhqJHI1m44aq/h46SfajytZQjwMT/jaApULDP2/fCBm5
+6eS2WCyHyrYJyrgoYQF56nsT
+-----END PRIVATE KEY-----

packages/core/acme-client/examples/http-01/README.md

@@ -0,0 +1,21 @@
+# http-01
+
+The `http-01` challenge type is the simplest to implement and should likely be your default choice, unless you either require wildcard certificates or if port 80 is unavailable for use.
+
+## How it works
+
+When solving `http-01` challenges, you prove ownership of a domain name by serving a specific payload from a specific URL. The ACME authority provides the client with a token that is used to generate the URL and file contents. The file must exist at `http://$YOUR_DOMAIN/.well-known/acme-challenge/$TOKEN` and contain the token and a thumbprint of your account key.
+
+Once the order is finalized, the ACME authority will verify that the URL responds with the correct payload by sending HTTP requests before the challenge is valid. HTTP redirects are followed, and Let's Encrypt allows redirecting to HTTPS although this diverges from the ACME spec.
+
+## Pros and cons
+
+* Challenge must be satisfied using port 80 (HTTP)
+* The simplest challenge type to implement
+* Can not be used to issue wildcard certificates
+* If using multiple web servers, all of them need to respond with the correct token
+
+## External links
+
+* [https://letsencrypt.org/docs/challenge-types/#http-01-challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge)
+* [https://datatracker.ietf.org/doc/html/rfc8555#section-8.3](https://datatracker.ietf.org/doc/html/rfc8555#section-8.3)

packages/core/acme-client/examples/http-01/http-01.js

@@ -0,0 +1,168 @@
+/**
+ * Example using http-01 challenge to generate certificates on-demand
+ */
+
+const fs = require('fs');
+const path = require('path');
+const http = require('http');
+const https = require('https');
+const tls = require('tls');
+const acme = require('./../../');
+
+const HTTP_SERVER_PORT = 80;
+const HTTPS_SERVER_PORT = 443;
+const VALID_DOMAINS = ['example.com', 'example.org'];
+const FALLBACK_KEY = fs.readFileSync(path.join(__dirname, '..', 'fallback.key'));
+const FALLBACK_CERT = fs.readFileSync(path.join(__dirname, '..', 'fallback.crt'));
+
+const pendingDomains = {};
+const challengeResponses = {};
+const certificateStore = {};
+
+function log(m) {
+    process.stdout.write(`${(new Date()).toISOString()} ${m}\n`);
+}
+
+/**
+ * On-demand certificate generation using http-01
+ */
+
+async function getCertOnDemand(client, servername, attempt = 0) {
+    /* Invalid domain */
+    if (!VALID_DOMAINS.includes(servername)) {
+        throw new Error(`Invalid domain: ${servername}`);
+    }
+
+    /* Certificate exists */
+    if (servername in certificateStore) {
+        return certificateStore[servername];
+    }
+
+    /* Waiting on certificate order to go through */
+    if (servername in pendingDomains) {
+        if (attempt >= 10) {
+            throw new Error(`Gave up waiting on certificate for ${servername}`);
+        }
+
+        await new Promise((resolve) => { setTimeout(resolve, 1000); });
+        return getCertOnDemand(client, servername, (attempt + 1));
+    }
+
+    /* Create CSR */
+    log(`Creating CSR for ${servername}`);
+    const [key, csr] = await acme.crypto.createCsr({
+        altNames: [servername],
+    });
+
+    /* Order certificate */
+    log(`Ordering certificate for ${servername}`);
+    const cert = await client.auto({
+        csr,
+        email: 'test@example.com',
+        termsOfServiceAgreed: true,
+        challengePriority: ['http-01'],
+        challengeCreateFn: (authz, challenge, keyAuthorization) => {
+            challengeResponses[challenge.token] = keyAuthorization;
+        },
+        challengeRemoveFn: (authz, challenge) => {
+            delete challengeResponses[challenge.token];
+        },
+    });
+
+    /* Done, store certificate */
+    log(`Certificate for ${servername} created successfully`);
+    certificateStore[servername] = [key, cert];
+    delete pendingDomains[servername];
+    return certificateStore[servername];
+}
+
+/**
+ * Main
+ */
+
+(async () => {
+    try {
+        /**
+         * Initialize ACME client
+         */
+
+        log('Initializing ACME client');
+        const client = new acme.Client({
+            directoryUrl: acme.directory.letsencrypt.staging,
+            accountKey: await acme.crypto.createPrivateKey(),
+        });
+
+        /**
+         * HTTP server
+         */
+
+        const httpServer = http.createServer((req, res) => {
+            if (req.url.match(/\/\.well-known\/acme-challenge\/.+/)) {
+                const token = req.url.split('/').pop();
+                log(`Received challenge request for token=${token}`);
+
+                /* ACME challenge response */
+                if (token in challengeResponses) {
+                    log(`Serving challenge response HTTP 200 token=${token}`);
+                    res.writeHead(200);
+                    res.end(challengeResponses[token]);
+                    return;
+                }
+
+                /* Challenge response not found */
+                log(`Oops, challenge response not found for token=${token}`);
+                res.writeHead(404);
+                res.end();
+                return;
+            }
+
+            /* HTTP 302 redirect */
+            log(`HTTP 302 ${req.headers.host}${req.url}`);
+            res.writeHead(302, { Location: `https://${req.headers.host}${req.url}` });
+            res.end();
+        });
+
+        httpServer.listen(HTTP_SERVER_PORT, () => {
+            log(`HTTP server listening on port ${HTTP_SERVER_PORT}`);
+        });
+
+        /**
+         * HTTPS server
+         */
+
+        const requestListener = (req, res) => {
+            log(`HTTP 200 ${req.headers.host}${req.url}`);
+            res.writeHead(200);
+            res.end('Hello world\n');
+        };
+
+        const httpsServer = https.createServer({
+            /* Fallback certificate */
+            key: FALLBACK_KEY,
+            cert: FALLBACK_CERT,
+
+            /* Serve certificate based on servername */
+            SNICallback: async (servername, cb) => {
+                try {
+                    log(`Handling SNI request for ${servername}`);
+                    const [key, cert] = await getCertOnDemand(client, servername);
+
+                    log(`Found certificate for ${servername}, serving secure context`);
+                    cb(null, tls.createSecureContext({ key, cert }));
+                }
+                catch (e) {
+                    log(`[ERROR] ${e.message}`);
+                    cb(e.message);
+                }
+            },
+        }, requestListener);
+
+        httpsServer.listen(HTTPS_SERVER_PORT, () => {
+            log(`HTTPS server listening on port ${HTTPS_SERVER_PORT}`);
+        });
+    }
+    catch (e) {
+        log(`[FATAL] ${e.message}`);
+        process.exit(1);
+    }
+})();

packages/core/acme-client/examples/tls-alpn-01/README.md

@@ -0,0 +1,44 @@
+# tls-alpn-01
+
+Responding to `tls-alpn-01` challenges using Node.js is a bit more involved than the other two challenge types, and requires a proxy (f.ex. [Nginx](https://nginx.org) or [HAProxy](https://www.haproxy.org)) in front of the Node.js service. The reason for this is that `tls-alpn-01` is solved by responding to the ACME challenge using self-signed certificates with an ALPN extension containing the challenge response.
+
+Since we don't want users of our application to be served with these self-signed certificates, we need to split the HTTPS traffic into two different Node.js backends - one that only serves ALPN certificates for challenge responses, and the other for actual end-user traffic that serves certificates retrieved from the ACME provider. As far as I *(library author)* know, routing HTTPS traffic based on ALPN protocol can not be done purely using Node.js.
+
+The end result should look something like this:
+
+```text
+Nginx or HAProxy (0.0.0.0:443)
+    *inspect requests SSL ALPN protocol*
+        If ALPN == acme-tls/1
+            -> Node.js ALPN responder (127.0.0.1:4444)
+        Else
+            -> Node.js HTTPS server (127.0.0.1:4443)
+```
+
+Example proxy configuration:
+
+* [haproxy.cfg](haproxy.cfg) *(requires HAProxy >= v1.9.1)*
+* [nginx.conf](nginx.conf) *(requires [ngx_stream_ssl_preread_module](https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html))*
+
+Big thanks to [acme.sh](https://github.com/acmesh-official/acme.sh) and [dehydrated](https://github.com/dehydrated-io/dehydrated) for doing the legwork and providing Nginx and HAProxy config examples.
+
+## How it works
+
+When solving `tls-alpn-01` challenges, you prove ownership of a domain name by serving a specially crafted certificate over HTTPS. The ACME authority provides the client with a token that is placed into the certificates `id-pe-acmeIdentifier` extension along with a thumbprint of your account key.
+
+Once the order is finalized, the ACME authority will verify by sending HTTPS requests to your domain with the `acme-tls/1` ALPN protocol, indicating to the server that it should serve the challenge response certificate. If the `id-pe-acmeIdentifier` extension contains the correct payload, the challenge is valid.
+
+## Pros and cons
+
+* Challenge must be satisfied using port 443 (HTTPS)
+* Useful in instances where port 80 is unavailable
+* Can not be used to issue wildcard certificates
+* More complex than `http-01`, can not be solved purely using Node.js
+* If using multiple web servers, all of them need to respond with the correct certificate
+
+## External links
+
+* [https://letsencrypt.org/docs/challenge-types/#tls-alpn-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01)
+* [https://github.com/dehydrated-io/dehydrated/blob/master/docs/tls-alpn.md](https://github.com/dehydrated-io/dehydrated/blob/master/docs/tls-alpn.md)
+* [https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime](https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime)
+* [https://datatracker.ietf.org/doc/html/rfc8737](https://datatracker.ietf.org/doc/html/rfc8737)

packages/core/acme-client/examples/tls-alpn-01/haproxy.cfg

@@ -0,0 +1,23 @@
+##
+# HTTPS listener
+# - Send to ALPN responder port 4444 if protocol is acme-tls/1
+# - Default to HTTPS backend port 4443
+##
+
+frontend https
+  mode tcp
+  bind :443
+  tcp-request inspect-delay 5s
+  tcp-request content accept if { req_ssl_hello_type 1 }
+  use_backend alpnresp if { req.ssl_alpn acme-tls/1 }
+  default_backend https
+
+# Default HTTPS backend
+backend https
+  mode tcp
+  server https 127.0.0.1:4443
+
+# ACME tls-alpn-01 responder backend
+backend alpnresp
+  mode tcp
+  server acmesh 127.0.0.1:4444

packages/core/acme-client/examples/tls-alpn-01/nginx.conf

@@ -0,0 +1,19 @@
+##
+# HTTPS server
+# - Send to ALPN responder port 4444 if protocol is acme-tls/1
+# - Default to HTTPS backend port 4443
+##
+
+stream {
+  map $ssl_preread_alpn_protocols $tls_port {
+    ~\bacme-tls/1\b 4444;
+    default 4443;
+  }
+
+  server {
+    listen 443;
+    listen [::]:443;
+    proxy_pass 127.0.0.1:$tls_port;
+    ssl_preread on;
+  }
+}

packages/core/acme-client/examples/tls-alpn-01/tls-alpn-01.js

@@ -0,0 +1,176 @@
+/**
+ * Example using tls-alpn-01 challenge to generate certificates on-demand
+ */
+
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+const tls = require('tls');
+const acme = require('./../../');
+
+const HTTPS_SERVER_PORT = 4443;
+const ALPN_RESPONDER_PORT = 4444;
+const VALID_DOMAINS = ['example.com', 'example.org'];
+const FALLBACK_KEY = fs.readFileSync(path.join(__dirname, '..', 'fallback.key'));
+const FALLBACK_CERT = fs.readFileSync(path.join(__dirname, '..', 'fallback.crt'));
+
+const pendingDomains = {};
+const alpnResponses = {};
+const certificateStore = {};
+
+function log(m) {
+    process.stdout.write(`${(new Date()).toISOString()} ${m}\n`);
+}
+
+/**
+ * On-demand certificate generation using tls-alpn-01
+ */
+
+async function getCertOnDemand(client, servername, attempt = 0) {
+    /* Invalid domain */
+    if (!VALID_DOMAINS.includes(servername)) {
+        throw new Error(`Invalid domain: ${servername}`);
+    }
+
+    /* Certificate exists */
+    if (servername in certificateStore) {
+        return certificateStore[servername];
+    }
+
+    /* Waiting on certificate order to go through */
+    if (servername in pendingDomains) {
+        if (attempt >= 10) {
+            throw new Error(`Gave up waiting on certificate for ${servername}`);
+        }
+
+        await new Promise((resolve) => { setTimeout(resolve, 1000); });
+        return getCertOnDemand(client, servername, (attempt + 1));
+    }
+
+    /* Create CSR */
+    log(`Creating CSR for ${servername}`);
+    const [key, csr] = await acme.crypto.createCsr({
+        altNames: [servername],
+    });
+
+    /* Order certificate */
+    log(`Ordering certificate for ${servername}`);
+    const cert = await client.auto({
+        csr,
+        email: 'test@example.com',
+        termsOfServiceAgreed: true,
+        challengePriority: ['tls-alpn-01'],
+        challengeCreateFn: async (authz, challenge, keyAuthorization) => {
+            alpnResponses[authz.identifier.value] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
+        },
+        challengeRemoveFn: (authz) => {
+            delete alpnResponses[authz.identifier.value];
+        },
+    });
+
+    /* Done, store certificate */
+    log(`Certificate for ${servername} created successfully`);
+    certificateStore[servername] = [key, cert];
+    delete pendingDomains[servername];
+    return certificateStore[servername];
+}
+
+/**
+ * Main
+ */
+
+(async () => {
+    try {
+        /**
+         * Initialize ACME client
+         */
+
+        log('Initializing ACME client');
+        const client = new acme.Client({
+            directoryUrl: acme.directory.letsencrypt.staging,
+            accountKey: await acme.crypto.createPrivateKey(),
+        });
+
+        /**
+         * ALPN responder
+         */
+
+        const alpnResponder = https.createServer({
+            /* Fallback cert */
+            key: FALLBACK_KEY,
+            cert: FALLBACK_CERT,
+
+            /* Allow acme-tls/1 ALPN protocol */
+            ALPNProtocols: ['acme-tls/1'],
+
+            /* Serve ALPN certificate based on servername */
+            SNICallback: async (servername, cb) => {
+                try {
+                    log(`Handling ALPN SNI request for ${servername}`);
+                    if (!Object.keys(alpnResponses).includes(servername)) {
+                        throw new Error(`No ALPN certificate found for ${servername}`);
+                    }
+
+                    /* Serve ALPN challenge response */
+                    log(`Found ALPN certificate for ${servername}, serving secure context`);
+                    cb(null, tls.createSecureContext({
+                        key: alpnResponses[servername][0],
+                        cert: alpnResponses[servername][1],
+                    }));
+                }
+                catch (e) {
+                    log(`[ERROR] ${e.message}`);
+                    cb(e.message);
+                }
+            },
+        });
+
+        /* Terminate once TLS handshake has been established */
+        alpnResponder.on('secureConnection', (socket) => {
+            socket.end();
+        });
+
+        alpnResponder.listen(ALPN_RESPONDER_PORT, () => {
+            log(`ALPN responder listening on port ${ALPN_RESPONDER_PORT}`);
+        });
+
+        /**
+         * HTTPS server
+         */
+
+        const requestListener = (req, res) => {
+            log(`HTTP 200 ${req.headers.host}${req.url}`);
+            res.writeHead(200);
+            res.end('Hello world\n');
+        };
+
+        const httpsServer = https.createServer({
+            /* Fallback cert */
+            key: FALLBACK_KEY,
+            cert: FALLBACK_CERT,
+
+            /* Serve certificate based on servername */
+            SNICallback: async (servername, cb) => {
+                try {
+                    log(`Handling SNI request for ${servername}`);
+                    const [key, cert] = await getCertOnDemand(client, servername);
+
+                    log(`Found certificate for ${servername}, serving secure context`);
+                    cb(null, tls.createSecureContext({ key, cert }));
+                }
+                catch (e) {
+                    log(`[ERROR] ${e.message}`);
+                    cb(e.message);
+                }
+            },
+        }, requestListener);
+
+        httpsServer.listen(HTTPS_SERVER_PORT, () => {
+            log(`HTTPS server listening on port ${HTTPS_SERVER_PORT}`);
+        });
+    }
+    catch (e) {
+        log(`[FATAL] ${e.message}`);
+        process.exit(1);
+    }
+})();

packages/core/acme-client/package.json

@@ -3,45 +3,46 @@
     "description": "Simple and unopinionated ACME client",
     "private": false,
     "author": "nmorsman",
-    "version": "1.1.2",
+    "version": "1.26.0",
     "main": "src/index.js",
-    "types": "types",
+    "types": "types/index.d.ts",
     "license": "MIT",
     "homepage": "https://github.com/publishlab/node-acme-client",
     "engines": {
-        "node": ">= 16"
+        "node": ">= 18"
     },
     "files": [
         "src",
         "types"
     ],
     "dependencies": {
-        "axios": "0.27.2",
-        "debug": "^4.1.1",
-        "jsrsasign": "^10.5.26",
+        "@peculiar/x509": "^1.11.0",
+        "asn1js": "^3.0.5",
+        "axios": "^1.7.2",
+        "debug": "^4.3.5",
+        "https-proxy-agent": "^7.0.5",
         "node-forge": "^1.3.1"
     },
     "devDependencies": {
-        "@types/node": "^18.6.1",
-        "chai": "^4.3.6",
-        "chai-as-promised": "^7.1.1",
-        "dtslint": "^4.2.1",
-        "eslint": "^8.11.0",
+        "@types/node": "^20.14.10",
+        "chai": "^4.4.1",
+        "chai-as-promised": "^7.1.2",
+        "eslint": "^8.57.0",
         "eslint-config-airbnb-base": "^15.0.0",
-        "eslint-plugin-import": "^2.25.4",
-        "jsdoc-to-markdown": "^7.1.1",
-        "mocha": "^10.0.0",
-        "nock": "^13.2.4",
-        "typescript": "^4.8.4",
+        "eslint-plugin-import": "^2.29.1",
+        "jsdoc-to-markdown": "^8.0.1",
+        "mocha": "^10.6.0",
+        "nock": "^13.5.4",
+        "tsd": "^0.31.1",
+        "typescript": "^5.4.2",
         "uuid": "^8.3.2"
     },
     "scripts": {
         "build-docs": "jsdoc2md src/client.js > docs/client.md && jsdoc2md src/crypto/index.js > docs/crypto.md && jsdoc2md src/crypto/forge.js > docs/forge.md",
         "lint": "eslint .",
-        "lint-types": "dtslint types",
+        "lint-types": "tsd",
         "prepublishOnly": "npm run build-docs",
-        "test": "mocha -t 60000 \"test/setup.js\" \"test/**/*.spec.js\"",
-        "test-local": "/bin/bash scripts/run-tests.sh"
+        "test": "mocha -t 60000 \"test/setup.js\" \"test/**/*.spec.js\""
     },
     "repository": {
         "type": "git",
@@ -58,5 +59,5 @@
     "bugs": {
         "url": "https://github.com/publishlab/node-acme-client/issues"
     },
-    "gitHead": "5950e1cae7cf30ebfc5128c15c7d1b0d101cbbb8"
+    "gitHead": "afa8155fda10f9a32427b351454b460897295a2c"
 }

packages/core/acme-client/scripts/run-tests.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-#
-# Run test suite locally using CircleCI CLI.
-#
-set -eu
-
-JOBS=("$@")
-
-CIRCLECI_CLI_URL="https://github.com/CircleCI-Public/circleci-cli/releases/download/v0.1.16947/circleci-cli_0.1.16947_linux_amd64.tar.gz"
-CIRCLECI_CLI_SHASUM="c6f9a3276445c69ae40439acfed07e2c53502216a96bfacc4556e1d862d1019a"
-CIRCLECI_CLI_PATH="/tmp/circleci-cli"
-CIRCLECI_CLI_BIN="${CIRCLECI_CLI_PATH}/circleci"
-
-PROJECT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && cd .. && pwd )"
-CONFIG_PATH="${PROJECT_DIR}/.circleci/.temp.yml"
-
-# Run all jobs by default
-if [[ ${#JOBS[@]} -eq 0 ]]; then
-    JOBS=(
-        "v16"
-        "v18"
-        "eab-v16"
-        "eab-v18"
-    )
-fi
-
-# Download CircleCI CLI
-if [[ ! -f "${CIRCLECI_CLI_BIN}" ]]; then
-    echo "[-] Downloading CircleCI cli"
-    mkdir -p "${CIRCLECI_CLI_PATH}"
-    wget -nv "${CIRCLECI_CLI_URL}" -O "${CIRCLECI_CLI_PATH}/circleci-cli.tar.gz"
-    echo "${CIRCLECI_CLI_SHASUM} *${CIRCLECI_CLI_PATH}/circleci-cli.tar.gz" | sha256sum -c
-    tar zxvf "${CIRCLECI_CLI_PATH}/circleci-cli.tar.gz" -C "${CIRCLECI_CLI_PATH}" --strip-components=1
-fi
-
-# Skip CircleCI update checks
-export CIRCLECI_CLI_SKIP_UPDATE_CHECK="true"
-
-# Run test suite
-echo "[-] Running test suite"
-$CIRCLECI_CLI_BIN config process "${PROJECT_DIR}/.circleci/config.yml" > "${CONFIG_PATH}"
-$CIRCLECI_CLI_BIN config validate -c "${CONFIG_PATH}"
-
-for job in "${JOBS[@]}"; do
-    echo "[-] Running job: ${job}"
-    $CIRCLECI_CLI_BIN local execute -c "${CONFIG_PATH}" --job "${job}" --skip-checkout
-    echo "[+] ${job} completed successfully"
-done
-
-# Clean up
-if [[ -f "${CONFIG_PATH}" ]]; then
-    rm "${CONFIG_PATH}"
-fi
-
-echo "[+] Test suite ran successfully!"
-exit 0

packages/core/acme-client/scripts/test-suite-install-cts.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-#
-# Install Pebble Challenge Test Server for testing.
-#
-set -eu
-
-# Download and install
-wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLECTS_VERSION}/pebble-challtestsrv_linux-amd64" -O /usr/local/bin/pebble-challtestsrv
-
-chown root:root /usr/local/bin/pebble-challtestsrv
-chmod 0755 /usr/local/bin/pebble-challtestsrv
-
-exit 0

packages/core/acme-client/scripts/test-suite-install-step.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-#
-# Install and init step-ca for testing.
-#
-set -eu
-
-# Download and install
-wget -nv "https://dl.step.sm/gh-release/certificates/gh-release-header/v${STEPCA_VERSION}/step-ca_${STEPCA_VERSION}_amd64.deb" -O /tmp/step-ca.deb
-wget -nv "https://dl.step.sm/gh-release/cli/gh-release-header/v${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb" -O /tmp/step-cli.deb
-
-sudo dpkg -i /tmp/step-ca.deb
-sudo dpkg -i /tmp/step-cli.deb
-
-# Initialize
-echo "hunter2" > /tmp/password
-
-step ca init --name="Example Inc." --dns="localhost" --address="127.0.0.1:8443" --provisioner="test@example.com" --password-file="/tmp/password"
-step ca provisioner add acme --type ACME
-
-exit 0

packages/core/acme-client/src/api.js

@@ -3,7 +3,7 @@
  */
 
 const util = require('./util');
-
+const { log } = require('./logger');
 
 /**
  * AcmeApi
@@ -18,6 +18,20 @@ class AcmeApi {
         this.accountUrl = accountUrl;
     }
 
+    getLocationFromHeader(resp) {
+        let locationUrl = resp.headers.location;
+        const mapping = this.http.urlMapping;
+        if (mapping.mappings) {
+            // eslint-disable-next-line guard-for-in,no-restricted-syntax
+            for (const key in mapping.mappings) {
+                const url = mapping.mappings[key];
+                if (locationUrl.indexOf(url) > -1) {
+                    locationUrl = locationUrl.replace(url, key);
+                }
+            }
+        }
+        return locationUrl;
+    }
 
     /**
      * Get account URL
@@ -34,14 +48,13 @@ class AcmeApi {
         return this.accountUrl;
     }
 
-
     /**
      * ACME API request
      *
      * @private
      * @param {string} url Request URL
      * @param {object} [payload] Request payload, default: `null`
-     * @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
+     * @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
      * @param {object} [opts]
      * @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
      * @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -59,14 +72,13 @@ class AcmeApi {
         return resp;
     }
 
-
     /**
      * ACME API request by resource name helper
      *
      * @private
      * @param {string} resource Request resource name
      * @param {object} [payload] Request payload, default: `null`
-     * @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
+     * @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
      * @param {object} [opts]
      * @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
      * @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -78,11 +90,10 @@ class AcmeApi {
         return this.apiRequest(resourceUrl, payload, validStatusCodes, { includeJwsKid, includeExternalAccountBinding });
     }
 
-
     /**
      * Get Terms of Service URL if available
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.1.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
      *
      * @returns {Promise<string|null>} ToS URL
      */
@@ -91,11 +102,10 @@ class AcmeApi {
         return this.http.getMetaField('termsOfService');
     }
 
-
     /**
      * Create new account
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
      *
      * @param {object} data Request payload
      * @returns {Promise<object>} HTTP response
@@ -104,22 +114,21 @@ class AcmeApi {
     async createAccount(data) {
         const resp = await this.apiResourceRequest('newAccount', data, [200, 201], {
             includeJwsKid: false,
-            includeExternalAccountBinding: (data.onlyReturnExisting !== true)
+            includeExternalAccountBinding: (data.onlyReturnExisting !== true),
         });
 
         /* Set account URL */
         if (resp.headers.location) {
-            this.accountUrl = resp.headers.location;
+            this.accountUrl = this.getLocationFromHeader(resp);
         }
 
         return resp;
     }
 
-
     /**
      * Update account
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
      *
      * @param {object} data Request payload
      * @returns {Promise<object>} HTTP response
@@ -129,11 +138,10 @@ class AcmeApi {
         return this.apiRequest(this.getAccountUrl(), data, [200, 202]);
     }
 
-
     /**
      * Update account key
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3.5
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
      *
      * @param {object} data Request payload
      * @returns {Promise<object>} HTTP response
@@ -143,11 +151,10 @@ class AcmeApi {
         return this.apiResourceRequest('keyChange', data, [200]);
     }
 
-
     /**
      * Create new order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {object} data Request payload
      * @returns {Promise<object>} HTTP response
@@ -157,11 +164,10 @@ class AcmeApi {
         return this.apiResourceRequest('newOrder', data, [201]);
     }
 
-
     /**
      * Get order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {string} url Order URL
      * @returns {Promise<object>} HTTP response
@@ -171,11 +177,10 @@ class AcmeApi {
         return this.apiRequest(url, null, [200]);
     }
 
-
     /**
      * Finalize order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {string} url Finalization URL
      * @param {object} data Request payload
@@ -186,11 +191,10 @@ class AcmeApi {
         return this.apiRequest(url, data, [200]);
     }
 
-
     /**
      * Get identifier authorization
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
      *
      * @param {string} url Authorization URL
      * @returns {Promise<object>} HTTP response
@@ -200,11 +204,10 @@ class AcmeApi {
         return this.apiRequest(url, null, [200]);
     }
 
-
     /**
      * Update identifier authorization
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
      *
      * @param {string} url Authorization URL
      * @param {object} data Request payload
@@ -215,11 +218,10 @@ class AcmeApi {
         return this.apiRequest(url, data, [200]);
     }
 
-
     /**
      * Complete challenge
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
      *
      * @param {string} url Challenge URL
      * @param {object} data Request payload
@@ -230,11 +232,10 @@ class AcmeApi {
         return this.apiRequest(url, data, [200]);
     }
 
-
     /**
      * Revoke certificate
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.6
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
      *
      * @param {object} data Request payload
      * @returns {Promise<object>} HTTP response
@@ -245,6 +246,5 @@ class AcmeApi {
     }
 }
 
-
 /* Export API */
 module.exports = AcmeApi;

packages/core/acme-client/src/auto.js

@@ -4,6 +4,7 @@
 
 const { readCsrDomains } = require('./crypto');
 const { log } = require('./logger');
+const { wait } = require('./wait');
 
 const defaultOpts = {
     csr: null,
@@ -12,11 +13,14 @@ const defaultOpts = {
     termsOfServiceAgreed: false,
     skipChallengeVerification: false,
     challengePriority: ['http-01', 'dns-01'],
-    challengeCreateFn: async () => { throw new Error('Missing challengeCreateFn()'); },
-    challengeRemoveFn: async () => { throw new Error('Missing challengeRemoveFn()'); }
+    challengeCreateFn: async () => {
+        throw new Error('Missing challengeCreateFn()');
+    },
+    challengeRemoveFn: async () => {
+        throw new Error('Missing challengeRemoveFn()');
+    },
 };
 
-
 /**
  * ACME client auto mode
  *
@@ -25,8 +29,8 @@ const defaultOpts = {
  * @returns {Promise<buffer>} Certificate
  */
 
-module.exports = async function(client, userOpts) {
-    const opts = Object.assign({}, defaultOpts, userOpts);
+module.exports = async (client, userOpts) => {
+    const opts = { ...defaultOpts, ...userOpts };
     const accountPayload = { termsOfServiceAgreed: opts.termsOfServiceAgreed };
 
     if (!Buffer.isBuffer(opts.csr)) {
@@ -36,7 +40,9 @@ module.exports = async function(client, userOpts) {
     if (opts.email) {
         accountPayload.contact = [`mailto:${opts.email}`];
     }
-
+    if (opts.externalAccountBinding) {
+        accountPayload.externalAccountBinding = opts.externalAccountBinding;
+    }
 
     /**
      * Register account
@@ -53,19 +59,16 @@ module.exports = async function(client, userOpts) {
         await client.createAccount(accountPayload);
     }
 
-
     /**
      * Parse domains from CSR
      */
 
     log('[auto] Parsing domains from Certificate Signing Request');
-    const csrDomains = readCsrDomains(opts.csr);
-    const domains = [csrDomains.commonName].concat(csrDomains.altNames);
-    const uniqueDomains = Array.from(new Set(domains));
+    const { commonName, altNames } = readCsrDomains(opts.csr);
+    const uniqueDomains = Array.from(new Set([commonName].concat(altNames).filter((d) => d)));
 
     log(`[auto] Resolved ${uniqueDomains.length} unique domains from parsing the Certificate Signing Request`);
 
-
     /**
      * Place order
      */
@@ -77,13 +80,14 @@ module.exports = async function(client, userOpts) {
 
     log(`[auto] Placed certificate order successfully, received ${authorizations.length} identity authorizations`);
 
-
     /**
      * Resolve and satisfy challenges
      */
 
     log('[auto] Resolving and satisfying authorization challenges');
 
+    const clearTasks = [];
+
     const challengeFunc = async (authz) => {
         const d = authz.identifier.value;
         let challengeCompleted = false;
@@ -114,19 +118,36 @@ module.exports = async function(client, userOpts) {
             /* Trigger challengeCreateFn() */
             log(`[auto] [${d}] Trigger challengeCreateFn()`);
             const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
-            let recordItem = null;
-            try {
-                recordItem = await opts.challengeCreateFn(authz, challenge, keyAuthorization);
 
+            try {
+                const { recordReq, recordRes, dnsProvider } = await opts.challengeCreateFn(authz, challenge, keyAuthorization);
+                log(`[auto] [${d}] challengeCreateFn success`);
+                log(`[auto] [${d}] add challengeRemoveFn()`);
+                clearTasks.push(async () => {
+                    /* Trigger challengeRemoveFn(), suppress errors */
+                    log(`[auto] [${d}] Trigger challengeRemoveFn()`);
+                    try {
+                        await opts.challengeRemoveFn(authz, challenge, keyAuthorization, recordReq, recordRes, dnsProvider);
+                    }
+                    catch (e) {
+                        log(`[auto] [${d}] challengeRemoveFn threw error: ${e.message}`);
+                    }
+                });
+                // throw new Error('测试异常');
                 /* Challenge verification */
                 if (opts.skipChallengeVerification === true) {
-                    log(`[auto] [${d}] Skipping challenge verification since skipChallengeVerification=true`);
+                    log(`[auto] [${d}] Skipping challenge verification since skipChallengeVerification=true，wait 60s`);
+                    await wait(60 * 1000);
                 }
                 else {
                     log(`[auto] [${d}] Running challenge verification`);
-                    await client.verifyChallenge(authz, challenge);
+                    try {
+                        await client.verifyChallenge(authz, challenge);
+                    }
+                    catch (e) {
+                        log(`[auto] [${d}] challenge verification threw error: ${e.message}`);
+                    }
                 }
-
                 /* Complete challenge and wait for valid status */
                 log(`[auto] [${d}] Completing challenge with ACME provider and waiting for valid status`);
                 await client.completeChallenge(challenge);
@@ -138,17 +159,6 @@ module.exports = async function(client, userOpts) {
                 log(`[auto] [${d}] challengeCreateFn threw error: ${e.message}`);
                 throw e;
             }
-            finally {
-                /* Trigger challengeRemoveFn(), suppress errors */
-                log(`[auto] [${d}] Trigger challengeRemoveFn()`);
-
-                try {
-                    await opts.challengeRemoveFn(authz, challenge, keyAuthorization, recordItem);
-                }
-                catch (e) {
-                    log(`[auto] [${d}] challengeRemoveFn threw error: ${e.message}`);
-                }
-            }
         }
         catch (e) {
             /* Deactivate pending authz when unable to complete challenge */
@@ -168,32 +178,108 @@ module.exports = async function(client, userOpts) {
             throw e;
         }
     };
+    const domainSets = [];
 
-    const challengePromises = authorizations.map((authz) => async () => {
-        await challengeFunc(authz);
+    authorizations.forEach((authz) => {
+        const d = authz.identifier.value;
+        let setd = false;
+        // eslint-disable-next-line no-restricted-syntax
+        for (const group of domainSets) {
+            if (!group[d]) {
+                group[d] = authz;
+                setd = true;
+            }
+        }
+        if (!setd) {
+            const group = {};
+            group[d] = authz;
+            domainSets.push(group);
+        }
     });
 
-    log('开始challenge');
-    let promise = Promise.resolve();
-    function runPromisesSerially(tasks) {
+    const allChallengePromises = [];
+    // eslint-disable-next-line no-restricted-syntax
+    for (const domainSet of domainSets) {
+        const challengePromises = [];
+        // eslint-disable-next-line guard-for-in,no-restricted-syntax
+        for (const domain in domainSet) {
+            const authz = domainSet[domain];
+            challengePromises.push(async () => {
+                log(`[auto] [${domain}] Starting challenge`);
+                await challengeFunc(authz);
+            });
+        }
+        allChallengePromises.push(challengePromises);
+    }
+
+    log(`[auto] challengeGroups:${allChallengePromises.length}`);
+
+    function runAllPromise(tasks) {
+        let promise = Promise.resolve();
         tasks.forEach((task) => {
             promise = promise.then(task);
         });
         return promise;
     }
 
-    await runPromisesSerially(challengePromises);
+    async function runPromisePa(tasks) {
+        const results = [];
+        // eslint-disable-next-line no-await-in-loop,no-restricted-syntax
+        for (const task of tasks) {
+            results.push(task());
+            // eslint-disable-next-line no-await-in-loop
+            await wait(10000);
+        }
+        return Promise.all(results);
+    }
+
+    log(`开始challenge，共${allChallengePromises.length}组`);
+    let i = 0;
+    // eslint-disable-next-line no-restricted-syntax
+    for (const challengePromises of allChallengePromises) {
+        i += 1;
+        log(`开始第${i}组`);
+        if (opts.signal && opts.signal.aborted) {
+            throw new Error('用户取消');
+        }
+
+        try {
+            // eslint-disable-next-line no-await-in-loop
+            await runPromisePa(challengePromises);
+        }
+        catch (e) {
+            log(`证书申请失败${e.message}`);
+            throw e;
+        }
+        finally {
+            log(`清理challenge痕迹，length:${clearTasks.length}`);
+            try {
+                // eslint-disable-next-line no-await-in-loop
+                await runAllPromise(clearTasks);
+            }
+            catch (e) {
+                log('清理challenge失败');
+                log(e);
+            }
+        }
+    }
     log('challenge结束');
 
     // log('[auto] Waiting for challenge valid status');
     // await Promise.all(challengePromises);
-
-
     /**
      * Finalize order and download certificate
      */
 
     log('[auto] Finalizing order and downloading certificate');
     const finalized = await client.finalizeOrder(order, opts.csr);
-    return client.getCertificate(finalized, opts.preferredChain);
+    const res = await client.getCertificate(finalized, opts.preferredChain);
+    return res;
+    // try {
+    //     await Promise.allSettled(challengePromises);
+    // }
+    // finally {
+    //     log('清理challenge');
+    //     await Promise.allSettled(clearTasks);
+    // }
 };

packages/core/acme-client/src/axios.js

@@ -3,12 +3,14 @@
  */
 
 const axios = require('axios');
-const adapter = require('axios/lib/adapters/http');
+const { parseRetryAfterHeader } = require('./util');
+const { log } = require('./logger');
 const pkg = require('./../package.json');
 
+const { AxiosError } = axios;
 
 /**
- * Instance
+ * Defaults
  */
 
 const instance = axios.create();
@@ -19,10 +21,16 @@ instance.defaults.headers.common['User-Agent'] = `node-${pkg.name}/${pkg.version
 /* Default ACME settings */
 instance.defaults.acmeSettings = {
     httpChallengePort: 80,
-    bypassCustomDnsResolver: false
+    httpsChallengePort: 443,
+    tlsAlpnChallengePort: 443,
+
+    retryMaxAttempts: 5,
+    retryDefaultDelay: 5,
 };
-
-
+// instance.defaults.proxy = {
+//     host: '192.168.34.139',
+//     port: 10811
+// };
 /**
  * Explicitly set Node as default HTTP adapter
  *
@@ -30,8 +38,86 @@ instance.defaults.acmeSettings = {
  * https://stackoverflow.com/questions/42677387
  */
 
-instance.defaults.adapter = adapter;
+instance.defaults.adapter = 'http';
 
+/**
+ * Retry requests on server errors or when rate limited
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-6.6
+ */
+
+function isRetryableError(error) {
+    return (error.code !== 'ECONNABORTED')
+        && (error.code !== 'ERR_NOCK_NO_MATCH')
+        && (!error.response
+            || (error.response.status === 429)
+            || ((error.response.status >= 500) && (error.response.status <= 599)));
+}
+
+/* https://github.com/axios/axios/blob/main/lib/core/settle.js */
+function validateStatus(response) {
+    const validator = response.config.retryValidateStatus;
+
+    if (!response.status || !validator || validator(response.status)) {
+        return response;
+    }
+
+    throw new AxiosError(
+        `Request failed with status code ${response.status}`,
+        (Math.floor(response.status / 100) === 4) ? AxiosError.ERR_BAD_REQUEST : AxiosError.ERR_BAD_RESPONSE,
+        response.config,
+        response.request,
+        response,
+    );
+}
+
+/* Pass all responses through the error interceptor */
+instance.interceptors.request.use((config) => {
+    if (!('retryValidateStatus' in config)) {
+        config.retryValidateStatus = config.validateStatus;
+    }
+
+    config.validateStatus = () => false;
+    return config;
+});
+
+/* Handle request retries if applicable */
+instance.interceptors.response.use(null, async (error) => {
+    const { config, response } = error;
+
+    if (!config) {
+        return Promise.reject(error);
+    }
+
+    /* Pick up errors we want to retry */
+    if (isRetryableError(error)) {
+        const { retryMaxAttempts, retryDefaultDelay } = instance.defaults.acmeSettings;
+        config.retryAttempt = ('retryAttempt' in config) ? (config.retryAttempt + 1) : 1;
+
+        if (config.retryAttempt <= retryMaxAttempts) {
+            const code = response ? `HTTP ${response.status}` : error.code;
+            log(`Caught ${code}, retry attempt ${config.retryAttempt}/${retryMaxAttempts} to URL ${config.url}`);
+
+            /* Attempt to parse Retry-After header, fallback to default delay */
+            let retryAfter = response ? parseRetryAfterHeader(response.headers['retry-after']) : 0;
+
+            if (retryAfter > 0) {
+                log(`Found retry-after response header with value: ${response.headers['retry-after']}, waiting ${retryAfter} seconds`);
+            }
+            else {
+                retryAfter = (retryDefaultDelay * config.retryAttempt);
+                log(`Unable to locate or parse retry-after response header, waiting ${retryAfter} seconds`);
+            }
+
+            /* Wait and retry the request */
+            await new Promise((resolve) => { setTimeout(resolve, (retryAfter * 1000)); });
+            return instance(config);
+        }
+    }
+
+    /* Validate and return response */
+    return validateStatus(response);
+});
 
 /**
  * Export instance

packages/core/acme-client/src/client.js

@@ -13,7 +13,6 @@ const verify = require('./verify');
 const util = require('./util');
 const auto = require('./auto');
 
-
 /**
  * ACME states
  *
@@ -24,7 +23,6 @@ const validStates = ['ready', 'valid'];
 const pendingStates = ['pending', 'processing'];
 const invalidStates = ['invalid'];
 
-
 /**
  * Default options
  *
@@ -38,10 +36,9 @@ const defaultOpts = {
     externalAccountBinding: {},
     backoffAttempts: 10,
     backoffMin: 5000,
-    backoffMax: 30000
+    backoffMax: 30000,
 };
 
-
 /**
  * AcmeClient
  *
@@ -61,7 +58,7 @@ const defaultOpts = {
  * ```js
  * const client = new acme.Client({
  *     directoryUrl: acme.directory.letsencrypt.staging,
- *     accountKey: 'Private key goes here'
+ *     accountKey: 'Private key goes here',
  * });
  * ```
  *
@@ -73,7 +70,7 @@ const defaultOpts = {
  *     accountUrl: 'Optional account URL goes here',
  *     backoffAttempts: 10,
  *     backoffMin: 5000,
- *     backoffMax: 30000
+ *     backoffMax: 30000,
  * });
  * ```
  *
@@ -84,8 +81,8 @@ const defaultOpts = {
  *     accountKey: 'Private key goes here',
  *     externalAccountBinding: {
  *         kid: 'YOUR-EAB-KID',
- *         hmacKey: 'YOUR-EAB-HMAC-KEY'
- *     }
+ *         hmacKey: 'YOUR-EAB-HMAC-KEY',
+ *     },
  * });
  * ```
  */
@@ -96,19 +93,17 @@ class AcmeClient {
             opts.accountKey = Buffer.from(opts.accountKey);
         }
 
-        this.opts = Object.assign({}, defaultOpts, opts);
-
+        this.opts = { ...defaultOpts, ...opts };
         this.backoffOpts = {
             attempts: this.opts.backoffAttempts,
             min: this.opts.backoffMin,
-            max: this.opts.backoffMax
+            max: this.opts.backoffMax,
         };
 
-        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey, this.opts.externalAccountBinding);
+        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey, this.opts.externalAccountBinding, this.opts.urlMapping);
         this.api = new AcmeApi(this.http, this.opts.accountUrl);
     }
 
-
     /**
      * Get Terms of Service URL if available
      *
@@ -128,7 +123,6 @@ class AcmeClient {
         return this.api.getTermsOfServiceUrl();
     }
 
-
     /**
      * Get current account URL
      *
@@ -150,11 +144,10 @@ class AcmeClient {
         return this.api.getAccountUrl();
     }
 
-
     /**
      * Create a new account
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
      *
      * @param {object} [data] Request data
      * @returns {Promise<object>} Account
@@ -162,7 +155,7 @@ class AcmeClient {
      * @example Create a new account
      * ```js
      * const account = await client.createAccount({
-     *     termsOfServiceAgreed: true
+     *     termsOfServiceAgreed: true,
      * });
      * ```
      *
@@ -170,7 +163,7 @@ class AcmeClient {
      * ```js
      * const account = await client.createAccount({
      *     termsOfServiceAgreed: true,
-     *     contact: ['mailto:test@example.com']
+     *     contact: ['mailto:test@example.com'],
      * });
      * ```
      */
@@ -196,11 +189,10 @@ class AcmeClient {
         }
     }
 
-
     /**
      * Update existing account
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
      *
      * @param {object} [data] Request data
      * @returns {Promise<object>} Account
@@ -208,7 +200,7 @@ class AcmeClient {
      * @example Update existing account
      * ```js
      * const account = await client.updateAccount({
-     *     contact: ['mailto:foo@example.com']
+     *     contact: ['mailto:foo@example.com'],
      * });
      * ```
      */
@@ -236,11 +228,10 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Update account private key
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.3.5
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
      *
      * @param {buffer|string} newAccountKey New PEM encoded private key
      * @param {object} [data] Additional request data
@@ -261,7 +252,7 @@ class AcmeClient {
         const accountUrl = this.api.getAccountUrl();
 
         /* Create new HTTP and API clients using new key */
-        const newHttpClient = new HttpClient(this.opts.directoryUrl, newAccountKey);
+        const newHttpClient = new HttpClient(this.opts.directoryUrl, newAccountKey, this.opts.externalAccountBinding);
         const newApiClient = new AcmeApi(newHttpClient, accountUrl);
 
         /* Get old JWK */
@@ -282,11 +273,10 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Create a new order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {object} data Request data
      * @returns {Promise<object>} Order
@@ -296,8 +286,8 @@ class AcmeClient {
      * const order = await client.createOrder({
      *     identifiers: [
      *         { type: 'dns', value: 'example.com' },
-     *         { type: 'dns', value: 'test.example.com' }
-     *     ]
+     *         { type: 'dns', value: 'test.example.com' },
+     *     ],
      * });
      * ```
      */
@@ -310,15 +300,15 @@ class AcmeClient {
         }
 
         /* Add URL to response */
-        resp.data.url = resp.headers.location;
+        resp.data.url = this.api.getLocationFromHeader(resp);
+
         return resp.data;
     }
 
-
     /**
      * Refresh order object from CA
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {object} order Order object
      * @returns {Promise<object>} Order
@@ -345,7 +335,7 @@ class AcmeClient {
     /**
      * Finalize order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
      *
      * @param {object} order Order object
      * @param {buffer|string} csr PEM encoded Certificate Signing Request
@@ -376,11 +366,10 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Get identifier authorizations from order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
      *
      * @param {object} order Order
      * @returns {Promise<object[]>} Authorizations
@@ -406,11 +395,10 @@ class AcmeClient {
         }));
     }
 
-
     /**
      * Deactivate identifier authorization
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
      *
      * @param {object} authz Identifier authorization
      * @returns {Promise<object>} Authorization
@@ -427,10 +415,7 @@ class AcmeClient {
             throw new Error('Unable to deactivate identifier authorization, URL not found');
         }
 
-        const data = {
-            status: 'deactivated'
-        };
-
+        const data = { status: 'deactivated' };
         const resp = await this.api.updateAuthorization(authz.url, data);
 
         /* Add URL to response */
@@ -438,11 +423,10 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Get key authorization for ACME challenge
      *
-     * https://tools.ietf.org/html/rfc8555#section-8.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-8.1
      *
      * @param {object} challenge Challenge object returned by API
      * @returns {Promise<string>} Key authorization
@@ -462,28 +446,24 @@ class AcmeClient {
         const thumbprint = keysum.digest('base64url');
         const result = `${challenge.token}.${thumbprint}`;
 
-        /**
-         * https://tools.ietf.org/html/rfc8555#section-8.3
-         */
-
+        /* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3 */
         if (challenge.type === 'http-01') {
             return result;
         }
 
-        /**
-         * https://tools.ietf.org/html/rfc8555#section-8.4
-         * https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01
-         */
+        /* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4 */
+        if (challenge.type === 'dns-01') {
+            return createHash('sha256').update(result).digest('base64url');
+        }
 
-        if ((challenge.type === 'dns-01') || (challenge.type === 'tls-alpn-01')) {
-            const shasum = createHash('sha256').update(result);
-            return shasum.digest('base64url');
+        /* https://datatracker.ietf.org/doc/html/rfc8737 */
+        if (challenge.type === 'tls-alpn-01') {
+            return result;
         }
 
         throw new Error(`Unable to produce key authorization, unknown challenge type: ${challenge.type}`);
     }
 
-
     /**
      * Verify that ACME challenge is satisfied
      *
@@ -511,6 +491,9 @@ class AcmeClient {
         const keyAuthorization = await this.getChallengeKeyAuthorization(challenge);
 
         const verifyFn = async () => {
+            if (this.opts.signal && this.opts.signal.aborted) {
+                throw new Error('用户取消');
+            }
             await verify[challenge.type](authz, challenge, keyAuthorization);
         };
 
@@ -518,11 +501,10 @@ class AcmeClient {
         return util.retry(verifyFn, this.backoffOpts);
     }
 
-
     /**
      * Notify CA that challenge has been completed
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
      *
      * @param {object} challenge Challenge object returned by API
      * @returns {Promise<object>} Challenge
@@ -535,15 +517,17 @@ class AcmeClient {
      */
 
     async completeChallenge(challenge) {
+        if (this.opts.signal && this.opts.signal.aborted) {
+            throw new Error('用户取消');
+        }
         const resp = await this.api.completeChallenge(challenge.url, {});
         return resp.data;
     }
 
-
     /**
      * Wait for ACME provider to verify status on a order, authorization or challenge
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.5.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
      *
      * @param {object} item An order, authorization or challenge object
      * @returns {Promise<object>} Valid order, authorization or challenge
@@ -554,7 +538,7 @@ class AcmeClient {
      * await client.waitForValidStatus(challenge);
      * ```
      *
-     * @example Wait for valid authoriation status
+     * @example Wait for valid authorization status
      * ```js
      * const authz = { ... };
      * await client.waitForValidStatus(authz);
@@ -573,6 +557,10 @@ class AcmeClient {
         }
 
         const verifyFn = async (abort) => {
+            if (this.opts.signal && this.opts.signal.aborted) {
+                throw new Error('用户取消');
+            }
+
             const resp = await this.api.apiRequest(item.url, null, [200]);
 
             /* Verify status */
@@ -596,11 +584,10 @@ class AcmeClient {
         return util.retry(verifyFn, this.backoffOpts);
     }
 
-
     /**
      * Get certificate from ACME order
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.4.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
      *
      * @param {object} order Order object
      * @param {string} [preferredChain] Indicate which certificate chain is preferred if a CA offers multiple, by exact issuer common name, default: `null`
@@ -643,11 +630,10 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Revoke certificate
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.6
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
      *
      * @param {buffer|string} cert PEM encoded certificate
      * @param {object} [data] Additional request data
@@ -663,7 +649,7 @@ class AcmeClient {
      * ```js
      * const certificate = { ... }; // Previously created certificate
      * const result = await client.revokeCertificate(certificate, {
-     *     reason: 4
+     *     reason: 4,
      * });
      * ```
      */
@@ -674,7 +660,6 @@ class AcmeClient {
         return resp.data;
     }
 
-
     /**
      * Auto mode
      *
@@ -692,7 +677,7 @@ class AcmeClient {
      * @example Order a certificate using auto mode
      * ```js
      * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-     *     commonName: 'test.example.com'
+     *     altNames: ['test.example.com'],
      * });
      *
      * const certificate = await client.auto({
@@ -704,14 +689,14 @@ class AcmeClient {
      *     },
      *     challengeRemoveFn: async (authz, challenge, keyAuthorization) => {
      *         // Clean up challenge here
-     *     }
+     *     },
      * });
      * ```
      *
      * @example Order a certificate using auto mode with preferred chain
      * ```js
      * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
-     *     commonName: 'test.example.com'
+     *     altNames: ['test.example.com'],
      * });
      *
      * const certificate = await client.auto({
@@ -720,7 +705,7 @@ class AcmeClient {
      *     termsOfServiceAgreed: true,
      *     preferredChain: 'DST Root CA X3',
      *     challengeCreateFn: async () => {},
-     *     challengeRemoveFn: async () => {}
+     *     challengeRemoveFn: async () => {},
      * });
      * ```
      */
@@ -730,6 +715,5 @@ class AcmeClient {
     }
 }
 
-
 /* Export client */
 module.exports = AcmeClient;

packages/core/acme-client/src/crypto/forge.js

@@ -10,10 +10,10 @@
 const net = require('net');
 const { promisify } = require('util');
 const forge = require('node-forge');
+const { createPrivateEcdsaKey, getPublicKey } = require('./index');
 
 const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
 
-
 /**
  * Attempt to parse forge object from PEM encoded string
  *
@@ -54,7 +54,6 @@ function forgeObjectFromPem(input) {
     return result;
 }
 
-
 /**
  * Parse domain names from a certificate or CSR
  *
@@ -93,11 +92,10 @@ function parseDomains(obj) {
 
     return {
         commonName,
-        altNames
+        altNames,
     };
 }
 
-
 /**
  * Generate a private RSA key
  *
@@ -123,7 +121,6 @@ async function createPrivateKey(size = 2048) {
 
 exports.createPrivateKey = createPrivateKey;
 
-
 /**
  * Create public key from a private RSA key
  *
@@ -136,14 +133,13 @@ exports.createPrivateKey = createPrivateKey;
  * ```
  */
 
-exports.createPublicKey = async function(key) {
+exports.createPublicKey = async (key) => {
     const privateKey = forge.pki.privateKeyFromPem(key);
     const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
     const pemKey = forge.pki.publicKeyToPem(publicKey);
     return Buffer.from(pemKey);
 };
 
-
 /**
  * Parse body of PEM encoded object from buffer or string
  * If multiple objects are chained, the first body will be returned
@@ -157,7 +153,6 @@ exports.getPemBody = (str) => {
     return forge.util.encode64(msg.body);
 };
 
-
 /**
  * Split chain of PEM encoded objects from buffer or string into array
  *
@@ -167,7 +162,6 @@ exports.getPemBody = (str) => {
 
 exports.splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
 
-
 /**
  * Get modulus
  *
@@ -182,7 +176,7 @@ exports.splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
  * ```
  */
 
-exports.getModulus = async function(input) {
+exports.getModulus = async (input) => {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
@@ -191,7 +185,6 @@ exports.getModulus = async function(input) {
     return Buffer.from(forge.util.hexToBytes(obj.n.toString(16)), 'binary');
 };
 
-
 /**
  * Get public exponent
  *
@@ -206,7 +199,7 @@ exports.getModulus = async function(input) {
  * ```
  */
 
-exports.getPublicExponent = async function(input) {
+exports.getPublicExponent = async (input) => {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
@@ -215,7 +208,6 @@ exports.getPublicExponent = async function(input) {
     return Buffer.from(forge.util.hexToBytes(obj.e.toString(16)), 'binary');
 };
 
-
 /**
  * Read domains from a Certificate Signing Request
  *
@@ -231,7 +223,7 @@ exports.getPublicExponent = async function(input) {
  * ```
  */
 
-exports.readCsrDomains = async function(csr) {
+exports.readCsrDomains = async (csr) => {
     if (!Buffer.isBuffer(csr)) {
         csr = Buffer.from(csr);
     }
@@ -240,7 +232,6 @@ exports.readCsrDomains = async function(csr) {
     return parseDomains(obj);
 };
 
-
 /**
  * Read information from a certificate
  *
@@ -260,7 +251,7 @@ exports.readCsrDomains = async function(csr) {
  * ```
  */
 
-exports.readCertificateInfo = async function(cert) {
+exports.readCertificateInfo = async (cert) => {
     if (!Buffer.isBuffer(cert)) {
         cert = Buffer.from(cert);
     }
@@ -270,18 +261,17 @@ exports.readCertificateInfo = async function(cert) {
 
     return {
         issuer: {
-            commonName: issuerCn ? issuerCn.value : null
+            commonName: issuerCn ? issuerCn.value : null,
         },
         domains: parseDomains(obj),
         notAfter: obj.validity.notAfter,
-        notBefore: obj.validity.notBefore
+        notBefore: obj.validity.notBefore,
     };
 };
 
-
 /**
  * Determine ASN.1 type for CSR subject short name
- * Note: https://tools.ietf.org/html/rfc5280
+ * Note: https://datatracker.ietf.org/doc/html/rfc5280
  *
  * @private
  * @param {string} shortName CSR subject short name
@@ -299,7 +289,6 @@ function getCsrValueTagClass(shortName) {
     }
 }
 
-
 /**
  * Create array of short names and values for Certificate Signing Request subjects
  *
@@ -319,7 +308,6 @@ function createCsrSubject(subjectObj) {
     }, []);
 }
 
-
 /**
  * Create array of alt names for Certificate Signing Requests
  * Note: https://github.com/digitalbazaar/forge/blob/dfdde475677a8a25c851e33e8f81dca60d90cfb9/lib/x509.js#L1444-L1454
@@ -336,14 +324,13 @@ function formatCsrAltNames(altNames) {
     });
 }
 
-
 /**
  * Create a Certificate Signing Request
  *
  * @param {object} data
  * @param {number} [data.keySize] Size of newly created private key, default: `2048`
  * @param {string} [data.commonName]
- * @param {array} [data.altNames] default: `[]`
+ * @param {string[]} [data.altNames] default: `[]`
  * @param {string} [data.country]
  * @param {string} [data.state]
  * @param {string} [data.locality]
@@ -356,29 +343,30 @@ function formatCsrAltNames(altNames) {
  * @example Create a Certificate Signing Request
  * ```js
  * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with both common and alternative names
+ * > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
  * ```js
  * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
  *     keySize: 4096,
  *     commonName: 'test.example.com',
- *     altNames: ['foo.example.com', 'bar.example.com']
+ *     altNames: ['foo.example.com', 'bar.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with additional information
  * ```js
  * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
- *     commonName: 'test.example.com',
+ *     altNames: ['test.example.com'],
  *     country: 'US',
  *     state: 'California',
  *     locality: 'Los Angeles',
  *     organization: 'The Company Inc.',
  *     organizationUnit: 'IT Department',
- *     emailAddress: 'contact@example.com'
+ *     emailAddress: 'contact@example.com',
  * });
  * ```
  *
@@ -387,17 +375,21 @@ function formatCsrAltNames(altNames) {
  * const certificateKey = await acme.forge.createPrivateKey();
  *
  * const [, certificateRequest] = await acme.forge.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * }, certificateKey);
  */
 
-exports.createCsr = async function(data, key = null) {
-    if (!key) {
+exports.createCsr = async (data, keyType = null) => {
+    let key = null;
+    if (keyType === 'ec') {
+        key = await createPrivateEcdsaKey();
+    }
+    else {
         key = await createPrivateKey(data.keySize);
     }
-    else if (!Buffer.isBuffer(key)) {
-        key = Buffer.from(key);
-    }
+    // else if (!Buffer.isBuffer(key)) {
+    //     key = Buffer.from(key);
+    // }
 
     if (typeof data.altNames === 'undefined') {
         data.altNames = [];
@@ -409,6 +401,8 @@ exports.createCsr = async function(data, key = null) {
     const privateKey = forge.pki.privateKeyFromPem(key);
     const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
     csr.publicKey = publicKey;
+    // const privateKey = key;
+    // csr.publicKey = getPublicKey(key);
 
     /* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
     if (data.commonName && !data.altNames.includes(data.commonName)) {
@@ -423,7 +417,7 @@ exports.createCsr = async function(data, key = null) {
         L: data.locality,
         O: data.organization,
         OU: data.organizationUnit,
-        E: data.emailAddress
+        E: data.emailAddress,
     });
 
     csr.setSubject(subject);
@@ -434,8 +428,8 @@ exports.createCsr = async function(data, key = null) {
             name: 'extensionRequest',
             extensions: [{
                 name: 'subjectAltName',
-                altNames: formatCsrAltNames(data.altNames)
-            }]
+                altNames: formatCsrAltNames(data.altNames),
+            }],
         }]);
     }
 

packages/core/acme-client/src/crypto/index.js

@@ -7,10 +7,20 @@
 const net = require('net');
 const { promisify } = require('util');
 const crypto = require('crypto');
-const jsrsasign = require('jsrsasign');
+const asn1js = require('asn1js');
+const x509 = require('@peculiar/x509');
 
+const randomInt = promisify(crypto.randomInt);
 const generateKeyPair = promisify(crypto.generateKeyPair);
 
+/* Use Node.js Web Crypto API */
+x509.cryptoProvider.set(crypto.webcrypto);
+
+/* id-ce-subjectAltName - https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+const subjectAltNameOID = '2.5.29.17';
+
+/* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
+const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
 
 /**
  * Determine key type and info by attempting to derive public key
@@ -24,17 +34,14 @@ function getKeyInfo(keyPem) {
     const result = {
         isRSA: false,
         isECDSA: false,
-        signatureAlgorithm: null,
-        publicKey: crypto.createPublicKey(keyPem)
+        publicKey: crypto.createPublicKey(keyPem),
     };
 
     if (result.publicKey.asymmetricKeyType === 'rsa') {
         result.isRSA = true;
-        result.signatureAlgorithm = 'SHA256withRSA';
     }
     else if (result.publicKey.asymmetricKeyType === 'ec') {
         result.isECDSA = true;
-        result.signatureAlgorithm = 'SHA256withECDSA';
     }
     else {
         throw new Error('Unable to parse key information, unknown format');
@@ -43,7 +50,6 @@ function getKeyInfo(keyPem) {
     return result;
 }
 
-
 /**
  * Generate a private RSA key
  *
@@ -61,13 +67,13 @@ function getKeyInfo(keyPem) {
  * ```
  */
 
-async function createPrivateRsaKey(modulusLength = 2048) {
+async function createPrivateRsaKey(modulusLength = 2048, encodingType = 'pkcs8') {
     const pair = await generateKeyPair('rsa', {
         modulusLength,
         privateKeyEncoding: {
-            type: 'pkcs8',
-            format: 'pem'
-        }
+            type: encodingType,
+            format: 'pem',
+        },
     });
 
     return Buffer.from(pair.privateKey);
@@ -75,7 +81,6 @@ async function createPrivateRsaKey(modulusLength = 2048) {
 
 exports.createPrivateRsaKey = createPrivateRsaKey;
 
-
 /**
  * Alias of `createPrivateRsaKey()`
  *
@@ -84,7 +89,6 @@ exports.createPrivateRsaKey = createPrivateRsaKey;
 
 exports.createPrivateKey = createPrivateRsaKey;
 
-
 /**
  * Generate a private ECDSA key
  *
@@ -102,19 +106,18 @@ exports.createPrivateKey = createPrivateRsaKey;
  * ```
  */
 
-exports.createPrivateEcdsaKey = async (namedCurve = 'P-256') => {
+exports.createPrivateEcdsaKey = async (namedCurve = 'P-256', encodingType = 'pkcs8') => {
     const pair = await generateKeyPair('ec', {
         namedCurve,
         privateKeyEncoding: {
-            type: 'pkcs8',
-            format: 'pem'
-        }
+            type: encodingType,
+            format: 'pem',
+        },
     });
 
     return Buffer.from(pair.privateKey);
 };
 
-
 /**
  * Get a public key derived from a RSA or ECDSA key
  *
@@ -132,13 +135,12 @@ exports.getPublicKey = (keyPem) => {
 
     const publicKey = info.publicKey.export({
         type: info.isECDSA ? 'spki' : 'pkcs1',
-        format: 'pem'
+        format: 'pem',
     });
 
     return Buffer.from(publicKey);
 };
 
-
 /**
  * Get a JSON Web Key derived from a RSA or ECDSA key
  *
@@ -155,7 +157,7 @@ exports.getPublicKey = (keyPem) => {
 
 function getJwk(keyPem) {
     const jwk = crypto.createPublicKey(keyPem).export({
-        format: 'jwk'
+        format: 'jwk',
     });
 
     /* Sort keys */
@@ -167,34 +169,50 @@ function getJwk(keyPem) {
 
 exports.getJwk = getJwk;
 
-
 /**
- * Fix missing support for NIST curve names in jsrsasign
+ * Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
  *
  * @private
- * @param {string} crv NIST curve name
- * @returns {string} SECG curve name
+ * @param {buffer|string} keyPem PEM encoded private key
+ * @returns {Promise<array>} [keyPair, signingAlgorithm]
  */
 
-function convertNistCurveNameToSecg(nistName) {
-    switch (nistName) {
-        case 'P-256':
-            return 'secp256r1';
-        case 'P-384':
-            return 'secp384r1';
-        case 'P-521':
-            return 'secp521r1';
-        default:
-            return nistName;
-    }
-}
+async function getWebCryptoKeyPair(keyPem) {
+    const info = getKeyInfo(keyPem);
+    const jwk = getJwk(keyPem);
 
+    /* Signing algorithm */
+    const sigalg = {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: { name: 'SHA-256' },
+    };
+
+    if (info.isECDSA) {
+        sigalg.name = 'ECDSA';
+        sigalg.namedCurve = jwk.crv;
+
+        if (jwk.crv === 'P-384') {
+            sigalg.hash.name = 'SHA-384';
+        }
+
+        if (jwk.crv === 'P-521') {
+            sigalg.hash.name = 'SHA-512';
+        }
+    }
+
+    /* Decode PEM and import into CryptoKeyPair */
+    const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
+    const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
+    const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
+
+    return [{ privateKey, publicKey }, sigalg];
+}
 
 /**
  * Split chain of PEM encoded objects from string into array
  *
  * @param {buffer|string} chainPem PEM encoded object chain
- * @returns {array} Array of PEM objects including headers
+ * @returns {string[]} Array of PEM objects including headers
  */
 
 function splitPemChain(chainPem) {
@@ -202,20 +220,13 @@ function splitPemChain(chainPem) {
         chainPem = chainPem.toString();
     }
 
-    return chainPem
-        /* Split chain into chunks, starting at every header */
-        .split(/\s*(?=-----BEGIN [A-Z0-9- ]+-----\r?\n?)/g)
-        /* Match header, PEM body and footer */
-        .map((pem) => pem.match(/\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\S\s]+)\r?\n?-----END \1-----/))
-        /* Filter out non-matches or empty bodies */
-        .filter((pem) => pem && pem[2] && pem[2].replace(/[\r\n]+/g, '').trim())
-        /* Decode to hex, and back to PEM for formatting etc */
-        .map(([pem, header]) => jsrsasign.hextopem(jsrsasign.pemtohex(pem, header), header));
+    /* Decode into array and re-encode */
+    return x509.PemConverter.decodeWithHeaders(chainPem)
+        .map((params) => x509.PemConverter.encode([params]));
 }
 
 exports.splitPemChain = splitPemChain;
 
-
 /**
  * Parse body of PEM encoded object and return a Base64URL string
  * If multiple objects are chained, the first body will be returned
@@ -231,52 +242,35 @@ exports.getPemBodyAsB64u = (pem) => {
         throw new Error('Unable to parse PEM body from string');
     }
 
-    /* First object, hex and back to b64 without new lines */
-    return jsrsasign.hextob64u(jsrsasign.pemtohex(chain[0]));
+    /* Select first object, extract body and convert to b64u */
+    const dec = x509.PemConverter.decodeFirst(chain[0]);
+    return Buffer.from(dec).toString('base64url');
 };
 
-
-/**
- * Parse common name from a subject object
- *
- * @private
- * @param {object} subj Subject returned from jsrsasign
- * @returns {string} Common name value
- */
-
-function parseCommonName(subj) {
-    const subjectArr = (subj && subj.array) ? subj.array : [];
-    const cnArr = subjectArr.find((s) => (s[0] && s[0].type && s[0].value && (s[0].type === 'CN')));
-    return (cnArr && cnArr.length && cnArr[0].value) ? cnArr[0].value : null;
-}
-
-
 /**
  * Parse domains from a certificate or CSR
  *
  * @private
- * @param {object} params Certificate or CSR params returned from jsrsasign
+ * @param {object} input x509.Certificate or x509.Pkcs10CertificateRequest
  * @returns {object} {commonName, altNames}
  */
 
-function parseDomains(params) {
-    const commonName = parseCommonName(params.subject);
-    const extensionArr = (params.ext || params.extreq || []);
+function parseDomains(input) {
+    const commonName = input.subjectName.getField('CN').pop() || null;
+    const altNamesRaw = input.getExtension(subjectAltNameOID);
     let altNames = [];
 
-    if (extensionArr && extensionArr.length) {
-        const altNameExt = extensionArr.find((e) => (e.extname && (e.extname === 'subjectAltName')));
-        const altNameArr = (altNameExt && altNameExt.array && altNameExt.array.length) ? altNameExt.array : [];
-        altNames = altNameArr.map((a) => Object.values(a)[0] || null).filter((a) => a);
+    if (altNamesRaw) {
+        const altNamesExt = new x509.SubjectAlternativeNameExtension(altNamesRaw.rawData);
+        altNames = altNames.concat(altNamesExt.names.items.map((i) => i.value));
     }
 
     return {
         commonName,
-        altNames
+        altNames,
     };
 }
 
-
 /**
  * Read domains from a Certificate Signing Request
  *
@@ -296,13 +290,11 @@ exports.readCsrDomains = (csrPem) => {
     if (Buffer.isBuffer(csrPem)) {
         csrPem = csrPem.toString();
     }
-
-    /* Parse CSR */
-    const params = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csrPem);
-    return parseDomains(params);
+    const dec = x509.PemConverter.decodeFirst(csrPem);
+    const csr = new x509.Pkcs10CertificateRequest(dec);
+    return parseDomains(csr);
 };
 
-
 /**
  * Read information from a certificate
  * If multiple certificates are chained, the first will be read
@@ -324,55 +316,50 @@ exports.readCsrDomains = (csrPem) => {
  */
 
 exports.readCertificateInfo = (certPem) => {
-    const chain = splitPemChain(certPem);
-
-    if (!chain.length) {
-        throw new Error('Unable to parse PEM body from string');
+    if (Buffer.isBuffer(certPem)) {
+        certPem = certPem.toString();
     }
 
-    /* Parse certificate */
-    const obj = new jsrsasign.X509();
-    obj.readCertPEM(chain[0]);
-    const params = obj.getParam();
+    const dec = x509.PemConverter.decodeFirst(certPem);
+    const cert = new x509.X509Certificate(dec);
 
     return {
         issuer: {
-            commonName: parseCommonName(params.issuer)
+            commonName: cert.issuerName.getField('CN').pop() || null,
         },
-        domains: parseDomains(params),
-        notBefore: jsrsasign.zulutodate(params.notbefore),
-        notAfter: jsrsasign.zulutodate(params.notafter)
+        domains: parseDomains(cert),
+        notBefore: cert.notBefore,
+        notAfter: cert.notAfter,
     };
 };
 
-
 /**
- * Determine ASN.1 character string type for CSR subject field
+ * Determine ASN.1 character string type for CSR subject field name
  *
- * https://tools.ietf.org/html/rfc5280
- * https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/x509-1.1.js#L2404-L2412
- * https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/asn1x509-1.0.js#L3526-L3535
+ * https://datatracker.ietf.org/doc/html/rfc5280
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
  *
  * @private
- * @param {string} field CSR subject field
- * @returns {string} ASN.1 jsrsasign character string type
+ * @param {string} field CSR subject field name
+ * @returns {string} ASN.1 character string type
  */
 
 function getCsrAsn1CharStringType(field) {
     switch (field) {
         case 'C':
-            return 'prn';
+            return 'printableString';
         case 'E':
-            return 'ia5';
+            return 'ia5String';
         default:
-            return 'utf8';
+            return 'utf8String';
     }
 }
 
-
 /**
  * Create array of subject fields for a Certificate Signing Request
  *
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
+ *
  * @private
  * @param {object} input Key-value of subject fields
  * @returns {object[]} Certificate Signing Request subject array
@@ -382,74 +369,73 @@ function createCsrSubject(input) {
     return Object.entries(input).reduce((result, [type, value]) => {
         if (value) {
             const ds = getCsrAsn1CharStringType(type);
-            result.push([{ type, value, ds }]);
+            result.push({ [type]: [{ [ds]: value }] });
         }
 
         return result;
     }, []);
 }
 
-
 /**
- * Create array of alt names for Certificate Signing Requests
+ * Create x509 subject alternate name extension
  *
- * https://github.com/kjur/jsrsasign/blob/3edc0070846922daea98d9588978e91d855577ec/src/x509-1.1.js#L1355-L1410
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/extensions/subject_alt_name.ts
  *
  * @private
  * @param {string[]} altNames Array of alt names
- * @returns {object[]} Certificate Signing Request alt names array
+ * @returns {x509.SubjectAlternativeNameExtension} Subject alternate name extension
  */
 
-function formatCsrAltNames(altNames) {
-    return altNames.map((value) => {
-        const key = net.isIP(value) ? 'ip' : 'dns';
-        return { [key]: value };
-    });
+function createSubjectAltNameExtension(altNames) {
+    return new x509.SubjectAlternativeNameExtension(altNames.map((value) => {
+        const type = net.isIP(value) ? 'ip' : 'dns';
+        return { type, value };
+    }));
 }
 
-
 /**
  * Create a Certificate Signing Request
  *
  * @param {object} data
  * @param {number} [data.keySize] Size of newly created RSA private key modulus in bits, default: `2048`
  * @param {string} [data.commonName] FQDN of your server
- * @param {array} [data.altNames] SAN (Subject Alternative Names), default: `[]`
+ * @param {string[]} [data.altNames] SAN (Subject Alternative Names), default: `[]`
  * @param {string} [data.country] 2 letter country code
  * @param {string} [data.state] State or province
  * @param {string} [data.locality] City
  * @param {string} [data.organization] Organization name
  * @param {string} [data.organizationUnit] Organizational unit name
  * @param {string} [data.emailAddress] Email address
- * @param {string} [keyPem] PEM encoded CSR private key
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
  * @returns {Promise<buffer[]>} [privateKey, certificateSigningRequest]
  *
  * @example Create a Certificate Signing Request
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with both common and alternative names
+ * > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
  *     keySize: 4096,
  *     commonName: 'test.example.com',
- *     altNames: ['foo.example.com', 'bar.example.com']
+ *     altNames: ['foo.example.com', 'bar.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with additional information
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com',
+ *     altNames: ['test.example.com'],
  *     country: 'US',
  *     state: 'California',
  *     locality: 'Los Angeles',
  *     organization: 'The Company Inc.',
  *     organizationUnit: 'IT Department',
- *     emailAddress: 'contact@example.com'
+ *     emailAddress: 'contact@example.com',
  * });
  * ```
  *
@@ -458,8 +444,9 @@ function formatCsrAltNames(altNames) {
  * const certificateKey = await acme.crypto.createPrivateEcdsaKey();
  *
  * const [, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * }, certificateKey);
+ * ```
  */
 
 exports.createCsr = async (data, keyPem = null) => {
@@ -474,53 +461,143 @@ exports.createCsr = async (data, keyPem = null) => {
         data.altNames = [];
     }
 
-    /* Get key info and JWK */
-    const info = getKeyInfo(keyPem);
-    const jwk = getJwk(keyPem);
-    const extensionRequests = [];
-
-    /* Missing support for NIST curve names in jsrsasign - https://github.com/kjur/jsrsasign/blob/master/src/asn1x509-1.0.js#L4388-L4393 */
-    if (jwk.crv && (jwk.kty === 'EC')) {
-        jwk.crv = convertNistCurveNameToSecg(jwk.crv);
-    }
-
     /* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
     if (data.commonName && !data.altNames.includes(data.commonName)) {
         data.altNames.unshift(data.commonName);
     }
 
-    /* Subject */
-    const subject = createCsrSubject({
-        CN: data.commonName,
-        C: data.country,
-        ST: data.state,
-        L: data.locality,
-        O: data.organization,
-        OU: data.organizationUnit,
-        E: data.emailAddress
-    });
+    /* CryptoKeyPair and signing algorithm from private key */
+    const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
 
-    /* SAN extension */
-    if (data.altNames.length) {
-        extensionRequests.push({
-            extname: 'subjectAltName',
-            array: formatCsrAltNames(data.altNames)
-        });
-    }
+    const extensions = [
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+        createSubjectAltNameExtension(data.altNames),
+    ];
 
     /* Create CSR */
-    const csr = new jsrsasign.KJUR.asn1.csr.CertificationRequest({
-        subject: { array: subject },
-        sigalg: info.signatureAlgorithm,
-        sbjprvkey: keyPem.toString(),
-        sbjpubkey: jwk,
-        extreq: extensionRequests
+    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+        keys,
+        extensions,
+        signingAlgorithm,
+        name: createCsrSubject({
+            CN: data.commonName,
+            C: data.country,
+            ST: data.state,
+            L: data.locality,
+            O: data.organization,
+            OU: data.organizationUnit,
+            E: data.emailAddress,
+        }),
     });
 
-    /* Sign CSR, get PEM */
-    csr.sign();
-    const pem = csr.getPEM();
-
     /* Done */
+    const pem = csr.toString('pem');
     return [keyPem, Buffer.from(pem)];
 };
+
+/**
+ * Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8737
+ *
+ * @param {object} authz Identifier authorization
+ * @param {string} keyAuthorization Challenge key authorization
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
+ * @returns {Promise<buffer[]>} [privateKey, certificate]
+ *
+ * @example Create a ALPN certificate
+ * ```js
+ * const [alpnKey, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
+ * ```
+ *
+ * @example Create a ALPN certificate with ECDSA private key
+ * ```js
+ * const alpnKey = await acme.crypto.createPrivateEcdsaKey();
+ * const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
+ * ```
+ */
+
+exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
+    if (!keyPem) {
+        keyPem = await createPrivateRsaKey();
+    }
+    else if (!Buffer.isBuffer(keyPem)) {
+        keyPem = Buffer.from(keyPem);
+    }
+
+    const now = new Date();
+    const commonName = authz.identifier.value;
+
+    /* Pseudo-random serial - max 20 bytes, 11 for epoch (year 5138), 9 random */
+    const random = await randomInt(1, 999999999);
+    const serialNumber = `${Math.floor(now.getTime() / 1000)}${random}`;
+
+    /* CryptoKeyPair and signing algorithm from private key */
+    const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
+
+    const extensions = [
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), // eslint-disable-line no-bitwise
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 */
+        new x509.BasicConstraintsExtension(true, 2, true),
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 */
+        await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+        createSubjectAltNameExtension([commonName]),
+    ];
+
+    /* ALPN extension */
+    const payload = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
+    const octstr = new asn1js.OctetString({ valueHex: Buffer.from(payload, 'hex') });
+    extensions.push(new x509.Extension(alpnAcmeIdentifierOID, true, octstr.toBER()));
+
+    /* Self-signed ALPN certificate */
+    const cert = await x509.X509CertificateGenerator.createSelfSigned({
+        keys,
+        signingAlgorithm,
+        extensions,
+        serialNumber,
+        notBefore: now,
+        notAfter: now,
+        name: createCsrSubject({
+            CN: commonName,
+        }),
+    });
+
+    /* Done */
+    const pem = cert.toString('pem');
+    return [keyPem, Buffer.from(pem)];
+};
+
+/**
+ * Validate that a ALPN certificate contains the expected key authorization
+ *
+ * @param {buffer|string} certPem PEM encoded certificate
+ * @param {string} keyAuthorization Expected challenge key authorization
+ * @returns {boolean} True when valid
+ */
+
+exports.isAlpnCertificateAuthorizationValid = (certPem, keyAuthorization) => {
+    const expected = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
+
+    /* Attempt to locate ALPN extension */
+    const cert = new x509.X509Certificate(certPem);
+    const ext = cert.getExtension(alpnAcmeIdentifierOID);
+
+    if (!ext) {
+        throw new Error('Unable to locate ALPN extension within parsed certificate');
+    }
+
+    /* Decode extension value */
+    const parsed = asn1js.fromBER(ext.value);
+    const result = Buffer.from(parsed.result.valueBlock.valueHexView).toString('hex');
+
+    /* Return true if match */
+    return (result === expected);
+};

packages/core/acme-client/src/http.js

@@ -3,10 +3,21 @@
  */
 
 const { createHmac, createSign, constants: { RSA_PKCS1_PADDING } } = require('crypto');
+const { HttpsProxyAgent } = require('https-proxy-agent');
 const { getJwk } = require('./crypto');
 const { log } = require('./logger');
-const axios = require('./axios');
+const axios1 = require('./axios');
 
+const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+let httpsAgent = null;
+if (httpsProxy) {
+    httpsAgent = new HttpsProxyAgent(httpsProxy);
+    log(`use https_proxy:${httpsProxy}`);
+}
+const axios = axios1.create({
+    proxy: false,
+    httpsAgent,
+});
 
 /**
  * ACME HTTP client
@@ -20,16 +31,19 @@ const axios = require('./axios');
  */
 
 class HttpClient {
-    constructor(directoryUrl, accountKey, externalAccountBinding = {}) {
+    constructor(directoryUrl, accountKey, externalAccountBinding = {}, urlMapping = {}) {
         this.directoryUrl = directoryUrl;
         this.accountKey = accountKey;
         this.externalAccountBinding = externalAccountBinding;
 
         this.maxBadNonceRetries = 5;
-        this.directory = null;
         this.jwk = null;
-    }
 
+        this.directoryCache = null;
+        this.directoryMaxAge = 86400;
+        this.directoryTimestamp = 0;
+        this.urlMapping = urlMapping;
+    }
 
     /**
      * HTTP request
@@ -41,6 +55,16 @@ class HttpClient {
      */
 
     async request(url, method, opts = {}) {
+        if (this.urlMapping && this.urlMapping.enabled && this.urlMapping.mappings) {
+            // eslint-disable-next-line no-restricted-syntax
+            for (const key in this.urlMapping.mappings) {
+                if (url.includes(key)) {
+                    const newUrl = url.replace(key, this.urlMapping.mappings[key]);
+                    log(`use reverse proxy: ${newUrl}`);
+                    url = newUrl;
+                }
+            }
+        }
         opts.url = url;
         opts.method = method;
         opts.validateStatus = null;
@@ -60,17 +84,20 @@ class HttpClient {
         return resp;
     }
 
-
     /**
-     * Ensure provider directory exists
+     * Get ACME provider directory
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.1.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
      *
-     * @returns {Promise}
+     * @returns {Promise<object>} ACME directory contents
      */
 
     async getDirectory() {
-        if (!this.directory) {
+        const now = Math.floor(Date.now() / 1000);
+        const age = (now - this.directoryTimestamp);
+
+        if (!this.directoryCache || (age > this.directoryMaxAge)) {
+            log(`Refreshing ACME directory, age: ${age}`);
             const resp = await this.request(this.directoryUrl, 'get');
 
             if (resp.status >= 400) {
@@ -81,10 +108,12 @@ class HttpClient {
                 throw new Error('Attempting to read ACME directory returned no data');
             }
 
-            this.directory = resp.data;
+            this.directoryCache = resp.data;
+            this.directoryTimestamp = now;
         }
-    }
 
+        return this.directoryCache;
+    }
 
     /**
      * Get JSON Web Key
@@ -100,13 +129,12 @@ class HttpClient {
         return this.jwk;
     }
 
-
     /**
      * Get nonce from directory API endpoint
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
      *
-     * @returns {Promise<string>} nonce
+     * @returns {Promise<string>} Nonce
      */
 
     async getNonce() {
@@ -120,7 +148,6 @@ class HttpClient {
         return resp.headers['replay-nonce'];
     }
 
-
     /**
      * Get URL for a directory resource
      *
@@ -129,16 +156,15 @@ class HttpClient {
      */
 
     async getResourceUrl(resource) {
-        await this.getDirectory();
+        const dir = await this.getDirectory();
 
-        if (!this.directory[resource]) {
+        if (!dir[resource]) {
             throw new Error(`Unable to locate API resource URL in ACME directory: "${resource}"`);
         }
 
-        return this.directory[resource];
+        return dir[resource];
     }
 
-
     /**
      * Get directory meta field
      *
@@ -147,16 +173,15 @@ class HttpClient {
      */
 
     async getMetaField(field) {
-        await this.getDirectory();
+        const dir = await this.getDirectory();
 
-        if (('meta' in this.directory) && (field in this.directory.meta)) {
-            return this.directory.meta[field];
+        if (('meta' in dir) && (field in dir.meta)) {
+            return dir.meta[field];
         }
 
         return null;
     }
 
-
     /**
      * Prepare HTTP request body for signature
      *
@@ -189,11 +214,10 @@ class HttpClient {
         /* Body */
         return {
             payload: payload ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '',
-            protected: Buffer.from(JSON.stringify(header)).toString('base64url')
+            protected: Buffer.from(JSON.stringify(header)).toString('base64url'),
         };
     }
 
-
     /**
      * Create JWS HTTP request body using HMAC
      *
@@ -216,7 +240,6 @@ class HttpClient {
         return result;
     }
 
-
     /**
      * Create JWS HTTP request body using RSA or ECC
      *
@@ -257,17 +280,16 @@ class HttpClient {
         result.signature = signer.sign({
             key: this.accountKey,
             padding: RSA_PKCS1_PADDING,
-            dsaEncoding: 'ieee-p1363'
+            dsaEncoding: 'ieee-p1363',
         }, 'base64url');
 
         return result;
     }
 
-
     /**
      * Signed HTTP request
      *
-     * https://tools.ietf.org/html/rfc8555#section-6.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-6.2
      *
      * @param {string} url Request URL
      * @param {object} payload Request payload
@@ -299,7 +321,7 @@ class HttpClient {
         const data = this.createSignedBody(url, payload, { nonce, kid });
         const resp = await this.request(url, 'post', { data });
 
-        /* Retry on bad nonce - https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.4 */
+        /* Retry on bad nonce - https://datatracker.ietf.org/doc/html/rfc8555#section-6.5 */
         if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
             nonce = resp.headers['replay-nonce'] || null;
             attempts += 1;
@@ -313,6 +335,5 @@ class HttpClient {
     }
 }
 
-
 /* Export client */
 module.exports = HttpClient;

packages/core/acme-client/src/index.js

@@ -4,7 +4,6 @@
 
 exports.Client = require('./client');
 
-
 /**
  * Directory URLs
  */
@@ -12,18 +11,22 @@ exports.Client = require('./client');
 exports.directory = {
     buypass: {
         staging: 'https://api.test4.buypass.no/acme/directory',
-        production: 'https://api.buypass.com/acme/directory'
+        production: 'https://api.buypass.com/acme/directory',
+    },
+    google: {
+        staging: 'https://dv.acme-v02.test-api.pki.goog/directory',
+        production: 'https://dv.acme-v02.api.pki.goog/directory',
     },
     letsencrypt: {
         staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
-        production: 'https://acme-v02.api.letsencrypt.org/directory'
+        production: 'https://acme-v02.api.letsencrypt.org/directory',
     },
     zerossl: {
-        production: 'https://acme.zerossl.com/v2/DV90'
-    }
+        staging: 'https://acme.zerossl.com/v2/DV90',
+        production: 'https://acme.zerossl.com/v2/DV90',
+    },
 };
 
-
 /**
  * Crypto
  */
@@ -31,16 +34,16 @@ exports.directory = {
 exports.crypto = require('./crypto');
 exports.forge = require('./crypto/forge');
 
-
 /**
  * Axios
  */
 
 exports.axios = require('./axios');
 
-
 /**
  * Logger
  */
 
 exports.setLogger = require('./logger').setLogger;
+
+exports.walkTxtRecord = require('./verify').walkTxtRecord;

packages/core/acme-client/src/logger.js

@@ -6,7 +6,6 @@ const debug = require('debug')('acme-client');
 
 let logger = () => {};
 
-
 /**
  * Set logger function
  *
@@ -17,11 +16,10 @@ exports.setLogger = (fn) => {
     logger = fn;
 };
 
-
 /**
  * Log message
  *
- * @param {string} Message
+ * @param {string} msg Message
  */
 
 exports.log = (msg) => {

packages/core/acme-client/src/util.js

@@ -2,11 +2,11 @@
  * Utility methods
  */
 
+const tls = require('tls');
 const dns = require('dns').promises;
 const { readCertificateInfo, splitPemChain } = require('./crypto');
 const { log } = require('./logger');
 
-
 /**
  * Exponential backoff
  *
@@ -25,7 +25,6 @@ class Backoff {
         this.attempts = 0;
     }
 
-
     /**
      * Get backoff duration
      *
@@ -39,7 +38,6 @@ class Backoff {
     }
 }
 
-
 /**
  * Retry promise
  *
@@ -69,7 +67,6 @@ async function retryPromise(fn, attempts, backoff) {
     }
 }
 
-
 /**
  * Retry promise
  *
@@ -86,13 +83,15 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
     return retryPromise(fn, attempts, backoff);
 }
 
-
 /**
- * Parse URLs from link header
+ * Parse URLs from Link header
  *
- * @param {string} header Link header contents
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link
+ *
+ * @param {string} header Header contents
  * @param {string} rel Link relation, default: `alternate`
- * @returns {array} Array of URLs
+ * @returns {string[]} Array of URLs
  */
 
 function parseLinkHeader(header, rel = 'alternate') {
@@ -106,13 +105,43 @@ function parseLinkHeader(header, rel = 'alternate') {
     return results.filter((r) => r);
 }
 
+/**
+ * Parse date or duration from Retry-After header
+ *
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
+ *
+ * @param {string} header Header contents
+ * @returns {number} Retry duration in seconds
+ */
+
+function parseRetryAfterHeader(header) {
+    const sec = parseInt(header, 10);
+    const date = new Date(header);
+
+    /* Seconds into the future */
+    if (Number.isSafeInteger(sec) && (sec > 0)) {
+        return sec;
+    }
+
+    /* Future date string */
+    if (date instanceof Date && !Number.isNaN(date)) {
+        const now = new Date();
+        const diff = Math.ceil((date.getTime() - now.getTime()) / 1000);
+
+        if (diff > 0) {
+            return diff;
+        }
+    }
+
+    return 0;
+}
 
 /**
  * Find certificate chain with preferred issuer common name
  *  - If issuer is found in multiple chains, the closest to root wins
  *  - If issuer can not be located, the first chain will be returned
  *
- * @param {array} certificates Array of PEM encoded certificate chains
+ * @param {string[]} certificates Array of PEM encoded certificate chains
  * @param {string} issuer Preferred certificate issuer
  * @returns {string} PEM encoded certificate chain
  */
@@ -156,7 +185,6 @@ function findCertificateChainForIssuer(chains, issuer) {
     return chains[0];
 }
 
-
 /**
  * Find and format error in response object
  *
@@ -167,17 +195,18 @@ function findCertificateChainForIssuer(chains, issuer) {
 function formatResponseError(resp) {
     let result;
 
-    if (resp.data.error) {
-        result = resp.data.error.detail || resp.data.error;
-    }
-    else {
-        result = resp.data.detail || JSON.stringify(resp.data);
+    if (resp.data) {
+        if (resp.data.error) {
+            result = resp.data.error.detail || resp.data.error;
+        }
+        else {
+            result = resp.data.detail || JSON.stringify(resp.data);
+        }
     }
 
-    return result.replace(/\n/g, '');
+    return (result || '').replace(/\n/g, '');
 }
 
-
 /**
  * Resolve root domain name by looking for SOA record
  *
@@ -203,7 +232,6 @@ async function resolveDomainBySoaRecord(recordName) {
     }
 }
 
-
 /**
  * Get DNS resolver using domains authoritative NS records
  *
@@ -244,6 +272,58 @@ async function getAuthoritativeDnsResolver(recordName) {
     return resolver;
 }
 
+/**
+ * Attempt to retrieve TLS ALPN certificate from peer
+ *
+ * https://nodejs.org/api/tls.html#tlsconnectoptions-callback
+ *
+ * @param {string} host Host the TLS client should connect to
+ * @param {number} port Port the client should connect to
+ * @param {string} servername Server name for the SNI (Server Name Indication)
+ * @returns {Promise<string>} PEM encoded certificate
+ */
+
+async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
+    return new Promise((resolve, reject) => {
+        let result;
+
+        /* TLS connection */
+        const socket = tls.connect({
+            host,
+            port,
+            servername: host,
+            rejectUnauthorized: false,
+            ALPNProtocols: ['acme-tls/1'],
+        });
+
+        socket.setTimeout(timeout);
+        socket.setEncoding('utf-8');
+
+        /* Grab certificate once connected and close */
+        socket.on('secureConnect', () => {
+            result = socket.getPeerX509Certificate();
+            socket.end();
+        });
+
+        /* Errors */
+        socket.on('error', (err) => {
+            reject(err);
+        });
+
+        socket.on('timeout', () => {
+            socket.destroy(new Error('TLS ALPN certificate lookup request timed out'));
+        });
+
+        /* Done, return cert as PEM if found */
+        socket.on('end', () => {
+            if (result) {
+                return resolve(result.toString());
+            }
+
+            return reject(new Error('TLS ALPN lookup failed to retrieve certificate'));
+        });
+    });
+}
 
 /**
  * Export utils
@@ -252,7 +332,9 @@ async function getAuthoritativeDnsResolver(recordName) {
 module.exports = {
     retry,
     parseLinkHeader,
+    parseRetryAfterHeader,
     findCertificateChainForIssuer,
     formatResponseError,
-    getAuthoritativeDnsResolver
+    getAuthoritativeDnsResolver,
+    retrieveTlsAlpnCertificate,
 };

packages/core/acme-client/src/verify.js

@@ -3,15 +3,16 @@
  */
 
 const dns = require('dns').promises;
+const https = require('https');
 const { log } = require('./logger');
 const axios = require('./axios');
 const util = require('./util');
-
+const { isAlpnCertificateAuthorizationValid } = require('./crypto');
 
 /**
  * Verify ACME HTTP challenge
  *
- * https://tools.ietf.org/html/rfc8555#section-8.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
  *
  * @param {object} authz Identifier authorization
  * @param {object} challenge Authorization challenge
@@ -24,8 +25,11 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
     const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
     const challengeUrl = `http://${authz.identifier.value}:${httpPort}${suffix}`;
 
+    /* May redirect to HTTPS with invalid/self-signed cert - https://letsencrypt.org/docs/challenge-types/#http-01-challenge */
+    const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+
     log(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
-    const resp = await axios.get(challengeUrl);
+    const resp = await axios.get(challengeUrl, { httpsAgent });
     const data = (resp.data || '').replace(/\s+$/, '');
 
     log(`Query successful, HTTP status code: ${resp.status}`);
@@ -38,49 +42,65 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
     return true;
 }
 
-
 /**
  * Walk DNS until TXT records are found
  */
 
 async function walkDnsChallengeRecord(recordName, resolver = dns) {
     /* Resolve CNAME record first */
-    try {
-        log(`Checking name for CNAME records: ${recordName}`);
-        const cnameRecords = await resolver.resolveCname(recordName);
-
-        if (cnameRecords.length) {
-            log(`CNAME record found at ${recordName}, new challenge record name: ${cnameRecords[0]}`);
-            return walkDnsChallengeRecord(cnameRecords[0]);
-        }
-    }
-    catch (e) {
-        log(`No CNAME records found for name: ${recordName}`);
-    }
+    // try {
+    //     log(`Checking name for CNAME records: ${recordName}`);
+    //     const cnameRecords = await resolver.resolveCname(recordName);
+    //
+    //     if (cnameRecords.length) {
+    //         log(`CNAME record found at ${recordName}, new challenge record name: ${cnameRecords[0]}`);
+    //         return walkDnsChallengeRecord(cnameRecords[0]);
+    //     }
+    // }
+    // catch (e) {
+    //     log(`No CNAME records found for name: ${recordName}`);
+    // }
 
     /* Resolve TXT records */
     try {
         log(`Checking name for TXT records: ${recordName}`);
         const txtRecords = await resolver.resolveTxt(recordName);
 
-        if (txtRecords.length) {
+        if (txtRecords && txtRecords.length) {
             log(`Found ${txtRecords.length} TXT records at ${recordName}`);
+            log(`TXT records: ${JSON.stringify(txtRecords)}`);
             return [].concat(...txtRecords);
         }
+        return [];
     }
     catch (e) {
-        log(`No TXT records found for name: ${recordName}`);
+        log(`Resolve TXT records error, ${recordName} :${e.message}`);
+        throw e;
     }
-
-    /* Found nothing */
-    throw new Error(`No TXT records found for name: ${recordName}`);
 }
 
+async function walkTxtRecord(recordName) {
+    try {
+        /* Default DNS resolver first */
+        log('Attempting to resolve TXT with default DNS resolver first');
+        const res = await walkDnsChallengeRecord(recordName);
+        if (res && res.length > 0) {
+            return res;
+        }
+        throw new Error('No TXT records found');
+    }
+    catch (e) {
+        /* Authoritative DNS resolver */
+        log(`Error using default resolver, attempting to resolve TXT with authoritative NS: ${e.message}`);
+        const authoritativeResolver = await util.getAuthoritativeDnsResolver(recordName);
+        return await walkDnsChallengeRecord(recordName, authoritativeResolver);
+    }
+}
 
 /**
  * Verify ACME DNS challenge
  *
- * https://tools.ietf.org/html/rfc8555#section-8.4
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
  *
  * @param {object} authz Identifier authorization
  * @param {object} challenge Authorization challenge
@@ -90,32 +110,44 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
  */
 
 async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '_acme-challenge.') {
-    let recordValues = [];
     const recordName = `${prefix}${authz.identifier.value}`;
     log(`Resolving DNS TXT from record: ${recordName}`);
-
-    try {
-        /* Default DNS resolver first */
-        log('Attempting to resolve TXT with default DNS resolver first');
-        recordValues = await walkDnsChallengeRecord(recordName);
-    }
-    catch (e) {
-        /* Authoritative DNS resolver */
-        log(`Error using default resolver, attempting to resolve TXT with authoritative NS: ${e.message}`);
-        const authoritativeResolver = await util.getAuthoritativeDnsResolver(recordName);
-        recordValues = await walkDnsChallengeRecord(recordName, authoritativeResolver);
-    }
-
+    const recordValues = await walkTxtRecord(recordName);
     log(`DNS query finished successfully, found ${recordValues.length} TXT records`);
-
     if (!recordValues.length || !recordValues.includes(keyAuthorization)) {
-        throw new Error(`Authorization not found in DNS TXT record: ${recordName}`);
+        throw new Error(`Authorization not found in DNS TXT record: ${recordName}，need:${keyAuthorization},found:${recordValues}`);
     }
 
     log(`Key authorization match for ${challenge.type}/${recordName}, ACME challenge verified`);
     return true;
 }
 
+/**
+ * Verify ACME TLS ALPN challenge
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8737
+ *
+ * @param {object} authz Identifier authorization
+ * @param {object} challenge Authorization challenge
+ * @param {string} keyAuthorization Challenge key authorization
+ * @returns {Promise<boolean>}
+ */
+
+async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
+    const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
+    const host = authz.identifier.value;
+    log(`Establishing TLS connection with host: ${host}:${tlsAlpnPort}`);
+
+    const certificate = await util.retrieveTlsAlpnCertificate(host, tlsAlpnPort);
+    log('Certificate received from server successfully, matching key authorization in ALPN');
+
+    if (!isAlpnCertificateAuthorizationValid(certificate, keyAuthorization)) {
+        throw new Error(`Authorization not found in certificate from ${authz.identifier.value}`);
+    }
+
+    log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
+    return true;
+}
 
 /**
  * Export API
@@ -123,5 +155,7 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
 
 module.exports = {
     'http-01': verifyHttpChallenge,
-    'dns-01': verifyDnsChallenge
+    'dns-01': verifyDnsChallenge,
+    'tls-alpn-01': verifyTlsAlpnChallenge,
+    walkTxtRecord,
 };

packages/core/acme-client/src/wait.js

@@ -0,0 +1,9 @@
+async function wait(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+
+module.exports = {
+    wait
+};

packages/core/acme-client/test/00-pebble.spec.js

@@ -3,16 +3,22 @@
  */
 
 const dns = require('dns').promises;
+const { randomUUID: uuid } = require('crypto');
+const https = require('https');
 const { assert } = require('chai');
-const { v4: uuid } = require('uuid');
 const cts = require('./challtestsrv');
 const axios = require('./../src/axios');
+const { retrieveTlsAlpnCertificate } = require('./../src/util');
+const { isAlpnCertificateAuthorizationValid } = require('./../src/crypto');
 
 const domainName = process.env.ACME_DOMAIN_NAME || 'example.com';
 const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
-
+const httpsPort = axios.defaults.acmeSettings.httpsChallengePort || 443;
+const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
 
 describe('pebble', () => {
+    const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+
     const testAHost = `${uuid()}.${domainName}`;
     const testARecords = ['1.1.1.1', '2.2.2.2'];
     const testCnameHost = `${uuid()}.${domainName}`;
@@ -21,21 +27,27 @@ describe('pebble', () => {
     const testHttp01ChallengeHost = `${uuid()}.${domainName}`;
     const testHttp01ChallengeToken = uuid();
     const testHttp01ChallengeContent = uuid();
+
+    const testHttps01ChallengeHost = `${uuid()}.${domainName}`;
+    const testHttps01ChallengeToken = uuid();
+    const testHttps01ChallengeContent = uuid();
+
     const testDns01ChallengeHost = `_acme-challenge.${uuid()}.${domainName}.`;
     const testDns01ChallengeValue = uuid();
 
+    const testTlsAlpn01ChallengeHost = `${uuid()}.${domainName}`;
+    const testTlsAlpn01ChallengeValue = uuid();
 
     /**
      * Pebble CTS required
      */
 
-    before(function() {
+    before(function () {
         if (!cts.isEnabled()) {
             this.skip();
         }
     });
 
-
     /**
      * DNS mocking
      */
@@ -77,45 +89,120 @@ describe('pebble', () => {
         });
     });
 
-
     /**
-     * Challenge response
+     * HTTP-01 challenge response
      */
 
-    describe('challenges', () => {
-        it('should not locate http-01 challenge response', async () => {
+    describe('http-01', () => {
+        it('should not locate challenge response', async () => {
             const resp = await axios.get(`http://${testHttp01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttp01ChallengeToken}`);
 
             assert.isString(resp.data);
             assert.notEqual(resp.data, testHttp01ChallengeContent);
         });
 
-        it('should add http-01 challenge response', async () => {
+        it('should add challenge response', async () => {
             const resp = await cts.addHttp01ChallengeResponse(testHttp01ChallengeToken, testHttp01ChallengeContent);
             assert.isTrue(resp);
         });
 
-        it('should locate http-01 challenge response', async () => {
+        it('should locate challenge response', async () => {
             const resp = await axios.get(`http://${testHttp01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttp01ChallengeToken}`);
 
             assert.isString(resp.data);
             assert.strictEqual(resp.data, testHttp01ChallengeContent);
         });
+    });
 
-        it('should not locate dns-01 challenge response', async () => {
+    /**
+     * HTTPS-01 challenge response
+     */
+
+    describe('https-01', () => {
+        it('should not locate challenge response', async () => {
+            const r1 = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
+            const r2 = await axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
+
+            [r1, r2].forEach((resp) => {
+                assert.isString(resp.data);
+                assert.notEqual(resp.data, testHttps01ChallengeContent);
+            });
+        });
+
+        it('should add challenge response', async () => {
+            const resp = await cts.addHttps01ChallengeResponse(testHttps01ChallengeToken, testHttps01ChallengeContent, testHttps01ChallengeHost);
+            assert.isTrue(resp);
+        });
+
+        it('should 302 with self-signed cert', async () => {
+            /* Assert HTTP 302 */
+            const resp = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, {
+                maxRedirects: 0,
+                validateStatus: null,
+            });
+
+            assert.strictEqual(resp.status, 302);
+            assert.strictEqual(resp.headers.location, `https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`);
+
+            /* Self-signed cert test */
+            await assert.isRejected(axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`));
+            await assert.isFulfilled(axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent }));
+        });
+
+        it('should locate challenge response', async () => {
+            const r1 = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
+            const r2 = await axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
+
+            [r1, r2].forEach((resp) => {
+                assert.isString(resp.data);
+                assert.strictEqual(resp.data, testHttps01ChallengeContent);
+            });
+        });
+    });
+
+    /**
+     * DNS-01 challenge response
+     */
+
+    describe('dns-01', () => {
+        it('should not locate challenge response', async () => {
             await assert.isRejected(dns.resolveTxt(testDns01ChallengeHost));
         });
 
-        it('should add dns-01 challenge response', async () => {
+        it('should add challenge response', async () => {
             const resp = await cts.addDns01ChallengeResponse(testDns01ChallengeHost, testDns01ChallengeValue);
             assert.isTrue(resp);
         });
 
-        it('should locate dns-01 challenge response', async () => {
+        it('should locate challenge response', async () => {
             const resp = await dns.resolveTxt(testDns01ChallengeHost);
 
             assert.isArray(resp);
             assert.deepStrictEqual(resp, [[testDns01ChallengeValue]]);
         });
     });
+
+    /**
+     * TLS-ALPN-01 challenge response
+     */
+
+    describe('tls-alpn-01', () => {
+        it('should not locate challenge response', async () => {
+            await assert.isRejected(retrieveTlsAlpnCertificate(testTlsAlpn01ChallengeHost, tlsAlpnPort), /(failed to retrieve)|(ssl3_read_bytes:tlsv1 alert internal error)/);
+        });
+
+        it('should timeout challenge response', async () => {
+            await assert.isRejected(retrieveTlsAlpnCertificate('example.org', tlsAlpnPort, 500));
+        });
+
+        it('should add challenge response', async () => {
+            const resp = await cts.addTlsAlpn01ChallengeResponse(testTlsAlpn01ChallengeHost, testTlsAlpn01ChallengeValue);
+            assert.isTrue(resp);
+        });
+
+        it('should locate challenge response', async () => {
+            const resp = await retrieveTlsAlpnCertificate(testTlsAlpn01ChallengeHost, tlsAlpnPort);
+            assert.isTrue(isAlpnCertificateAuthorizationValid(resp, testTlsAlpn01ChallengeValue));
+        });
+    });
 });

packages/core/acme-client/test/10-http.spec.js

@@ -2,51 +2,24 @@
  * HTTP client tests
  */
 
+const { randomUUID: uuid } = require('crypto');
 const { assert } = require('chai');
-const { v4: uuid } = require('uuid');
 const nock = require('nock');
 const axios = require('./../src/axios');
 const HttpClient = require('./../src/http');
 const pkg = require('./../package.json');
 
-
 describe('http', () => {
     let testClient;
 
+    const endpoint = `http://${uuid()}.example.com`;
     const defaultUserAgent = `node-${pkg.name}/${pkg.version}`;
     const customUserAgent = 'custom-ua-123';
 
-    const primaryEndpoint = `http://${uuid()}.example.com`;
-    const defaultUaEndpoint = `http://${uuid()}.example.com`;
-    const customUaEndpoint = `http://${uuid()}.example.com`;
-
-
-    /**
-     * HTTP mocking
-     */
-
-    before(() => {
-        axios.defaults.acmeSettings.bypassCustomDnsResolver = true;
-
-        const defaultUaOpts = { reqheaders: { 'User-Agent': defaultUserAgent } };
-        const customUaOpts = { reqheaders: { 'User-Agent': customUserAgent } };
-
-        nock(primaryEndpoint)
-            .persist().get('/').reply(200, 'ok');
-
-        nock(defaultUaEndpoint, defaultUaOpts)
-            .persist().get('/').reply(200, 'ok');
-
-        nock(customUaEndpoint, customUaOpts)
-            .persist().get('/').reply(200, 'ok');
+    afterEach(() => {
+        nock.cleanAll();
     });
 
-    after(() => {
-        axios.defaults.headers.common['User-Agent'] = defaultUserAgent;
-        axios.defaults.acmeSettings.bypassCustomDnsResolver = false;
-    });
-
-
     /**
      * Initialize
      */
@@ -55,47 +28,94 @@ describe('http', () => {
         testClient = new HttpClient();
     });
 
-
     /**
      * HTTP verbs
      */
 
     it('should http get', async () => {
-        const resp = await testClient.request(primaryEndpoint, 'get');
+        nock(endpoint).get('/').reply(200, 'ok');
+        const resp = await testClient.request(endpoint, 'get');
 
         assert.isObject(resp);
         assert.strictEqual(resp.status, 200);
         assert.strictEqual(resp.data, 'ok');
     });
 
-
     /**
      * User-Agent
      */
 
     it('should request using default user-agent', async () => {
-        const resp = await testClient.request(defaultUaEndpoint, 'get');
+        nock(endpoint).matchHeader('user-agent', defaultUserAgent).get('/').reply(200, 'ok');
+        axios.defaults.headers.common['User-Agent'] = defaultUserAgent;
+        const resp = await testClient.request(endpoint, 'get');
 
         assert.isObject(resp);
         assert.strictEqual(resp.status, 200);
         assert.strictEqual(resp.data, 'ok');
     });
 
-    it('should not request using custom user-agent', async () => {
-        await assert.isRejected(testClient.request(customUaEndpoint, 'get'));
+    it('should reject using custom user-agent', async () => {
+        nock(endpoint).matchHeader('user-agent', defaultUserAgent).get('/').reply(200, 'ok');
+        axios.defaults.headers.common['User-Agent'] = customUserAgent;
+        await assert.isRejected(testClient.request(endpoint, 'get'));
     });
 
     it('should request using custom user-agent', async () => {
+        nock(endpoint).matchHeader('user-agent', customUserAgent).get('/').reply(200, 'ok');
         axios.defaults.headers.common['User-Agent'] = customUserAgent;
-        const resp = await testClient.request(customUaEndpoint, 'get');
+        const resp = await testClient.request(endpoint, 'get');
 
         assert.isObject(resp);
         assert.strictEqual(resp.status, 200);
         assert.strictEqual(resp.data, 'ok');
     });
 
-    it('should not request using default user-agent', async () => {
-        axios.defaults.headers.common['User-Agent'] = customUserAgent;
-        await assert.isRejected(testClient.request(defaultUaEndpoint, 'get'));
+    it('should reject using default user-agent', async () => {
+        nock(endpoint).matchHeader('user-agent', customUserAgent).get('/').reply(200, 'ok');
+        axios.defaults.headers.common['User-Agent'] = defaultUserAgent;
+        await assert.isRejected(testClient.request(endpoint, 'get'));
+    });
+
+    /**
+     * Retry on HTTP errors
+     */
+
+    it('should retry on 429 rate limit', async () => {
+        let rateLimitCount = 0;
+
+        nock(endpoint).persist().get('/').reply(() => {
+            rateLimitCount += 1;
+
+            if (rateLimitCount < 3) {
+                return [429, 'Rate Limit Exceeded', { 'Retry-After': 1 }];
+            }
+
+            return [200, 'ok'];
+        });
+
+        assert.strictEqual(rateLimitCount, 0);
+        const resp = await testClient.request(endpoint, 'get');
+
+        assert.isObject(resp);
+        assert.strictEqual(resp.status, 200);
+        assert.strictEqual(resp.data, 'ok');
+        assert.strictEqual(rateLimitCount, 3);
+    });
+
+    it('should retry on 5xx server error', async () => {
+        let serverErrorCount = 0;
+
+        nock(endpoint).persist().get('/').reply(() => {
+            serverErrorCount += 1;
+            return [500, 'Internal Server Error', { 'Retry-After': 1 }];
+        });
+
+        assert.strictEqual(serverErrorCount, 0);
+        const resp = await testClient.request(endpoint, 'get');
+
+        assert.isObject(resp);
+        assert.strictEqual(resp.status, 500);
+        assert.strictEqual(serverErrorCount, 4);
     });
 });

packages/core/acme-client/test/10-logger.spec.js

@@ -5,7 +5,6 @@
 const { assert } = require('chai');
 const logger = require('./../src/logger');
 
-
 describe('logger', () => {
     let lastLogMessage = null;
 
@@ -13,7 +12,6 @@ describe('logger', () => {
         lastLogMessage = msg;
     }
 
-
     /**
      * Logger
      */
@@ -23,7 +21,6 @@ describe('logger', () => {
         assert.isNull(lastLogMessage);
     });
 
-
     it('should log with custom logger', () => {
         logger.setLogger(customLoggerFn);
 

packages/core/acme-client/test/10-util.spec.js

@@ -0,0 +1,145 @@
+/**
+ * Utility method tests
+ */
+
+const dns = require('dns').promises;
+const fs = require('fs').promises;
+const path = require('path');
+const { assert } = require('chai');
+const util = require('./../src/util');
+const { readCertificateInfo } = require('./../src/crypto');
+
+describe('util', () => {
+    const testCertPath1 = path.join(__dirname, 'fixtures', 'certificate.crt');
+    const testCertPath2 = path.join(__dirname, 'fixtures', 'letsencrypt.crt');
+
+    it('retry()', async () => {
+        let attempts = 0;
+        const backoffOpts = {
+            min: 100,
+            max: 500,
+        };
+
+        await assert.isRejected(util.retry(() => {
+            throw new Error('oops');
+        }, backoffOpts));
+
+        const r = await util.retry(() => {
+            attempts += 1;
+
+            if (attempts < 3) {
+                throw new Error('oops');
+            }
+
+            return 'abc';
+        }, backoffOpts);
+
+        assert.strictEqual(r, 'abc');
+        assert.strictEqual(attempts, 3);
+    });
+
+    it('parseLinkHeader()', () => {
+        const r1 = util.parseLinkHeader('<https://example.com/a>;rel="alternate"');
+        assert.isArray(r1);
+        assert.strictEqual(r1.length, 1);
+        assert.strictEqual(r1[0], 'https://example.com/a');
+
+        const r2 = util.parseLinkHeader('<https://example.com/b>;rel="test"');
+        assert.isArray(r2);
+        assert.strictEqual(r2.length, 0);
+
+        const r3 = util.parseLinkHeader('<http://example.com/c>; rel="test"', 'test');
+        assert.isArray(r3);
+        assert.strictEqual(r3.length, 1);
+        assert.strictEqual(r3[0], 'http://example.com/c');
+
+        const r4 = util.parseLinkHeader(`<https://example.com/a>; rel="alternate",
+            <https://example.com/x>; rel="nope",
+            <https://example.com/b>;rel="alternate",
+            <https://example.com/c>;   rel="alternate"`);
+        assert.isArray(r4);
+        assert.strictEqual(r4.length, 3);
+        assert.strictEqual(r4[0], 'https://example.com/a');
+        assert.strictEqual(r4[1], 'https://example.com/b');
+        assert.strictEqual(r4[2], 'https://example.com/c');
+    });
+
+    it('parseRetryAfterHeader()', () => {
+        const r1 = util.parseRetryAfterHeader('');
+        assert.strictEqual(r1, 0);
+
+        const r2 = util.parseRetryAfterHeader('abcdef');
+        assert.strictEqual(r2, 0);
+
+        const r3 = util.parseRetryAfterHeader('123');
+        assert.strictEqual(r3, 123);
+
+        const r4 = util.parseRetryAfterHeader('123.456');
+        assert.strictEqual(r4, 123);
+
+        const r5 = util.parseRetryAfterHeader('-555');
+        assert.strictEqual(r5, 0);
+
+        const r6 = util.parseRetryAfterHeader('Wed, 21 Oct 2015 07:28:00 GMT');
+        assert.strictEqual(r6, 0);
+
+        const now = new Date();
+        const future = new Date(now.getTime() + 123000);
+        const r7 = util.parseRetryAfterHeader(future.toUTCString());
+        assert.isTrue(r7 > 100);
+    });
+
+    it('findCertificateChainForIssuer()', async () => {
+        const certs = [
+            (await fs.readFile(testCertPath1)).toString(),
+            (await fs.readFile(testCertPath2)).toString(),
+        ];
+
+        const r1 = util.findCertificateChainForIssuer(certs, 'abc123');
+        const r2 = util.findCertificateChainForIssuer(certs, 'example.com');
+        const r3 = util.findCertificateChainForIssuer(certs, 'E6');
+
+        [r1, r2, r3].forEach((r) => {
+            assert.isString(r);
+            assert.isNotEmpty(r);
+        });
+
+        assert.strictEqual(readCertificateInfo(r1).issuer.commonName, 'example.com');
+        assert.strictEqual(readCertificateInfo(r2).issuer.commonName, 'example.com');
+        assert.strictEqual(readCertificateInfo(r3).issuer.commonName, 'E6');
+    });
+
+    it('formatResponseError()', () => {
+        const e1 = util.formatResponseError({ data: { error: 'aaa' } });
+        assert.strictEqual(e1, 'aaa');
+
+        const e2 = util.formatResponseError({ data: { error: { detail: 'bbb' } } });
+        assert.strictEqual(e2, 'bbb');
+
+        const e3 = util.formatResponseError({ data: { detail: 'ccc' } });
+        assert.strictEqual(e3, 'ccc');
+
+        const e4 = util.formatResponseError({ data: { a: 123 } });
+        assert.strictEqual(e4, '{"a":123}');
+
+        const e5 = util.formatResponseError({});
+        assert.isString(e5);
+        assert.isEmpty(e5);
+    });
+
+    it('getAuthoritativeDnsResolver()', async () => {
+        /* valid domain - should not use global default */
+        const r1 = await util.getAuthoritativeDnsResolver('example.com');
+        assert.instanceOf(r1, dns.Resolver);
+        assert.isNotEmpty(r1.getServers());
+        assert.notDeepEqual(r1.getServers(), dns.getServers());
+
+        /* invalid domain - fallback to global default */
+        const r2 = await util.getAuthoritativeDnsResolver('invalid.xtldx');
+        assert.instanceOf(r2, dns.Resolver);
+        assert.deepStrictEqual(r2.getServers(), dns.getServers());
+    });
+
+    /* TODO: Figure out how to test this */
+    it('retrieveTlsAlpnCertificate()');
+});