/// <summary> /// Setup a new ACME account /// </summary> /// <param name="client"></param> /// <returns></returns> private async Task SetupAccount(AcmeProtocolClient client) { // Accept the terms of service, if defined by the server try { var(_, filename, content) = await client.GetTermsOfServiceAsync(); _log.Verbose("Terms of service downloaded"); if (!string.IsNullOrEmpty(filename)) { if (!await AcceptTos(filename, content)) { return; } } } catch (Exception ex) { _log.Error(ex, "Error getting terms of service"); } var contacts = default(string[]); var eabKid = _accountArguments.EabKeyIdentifier; var eabKey = _accountArguments.EabKey; var eabAlg = _accountArguments.EabAlgorithm ?? "HS256"; var eabFlow = client.Directory?.Meta?.ExternalAccountRequired == "true"; var zeroSslFlow = _settings.BaseUri.Host.Contains("zerossl.com"); // Warn about unneeded EAB if (!eabFlow && !string.IsNullOrWhiteSpace(eabKid)) { eabFlow = true; _input.CreateSpace(); _input.Show(null, "You have provided an external account binding key, even though " + "the server does not indicate that this is required. We will attempt to register " + "using this key anyway."); } if (zeroSslFlow) { async Task emailRegistration() { var registration = await GetContacts(allowMultiple : false, prefix : ""); var eab = await _zeroSsl.Register(registration.FirstOrDefault() ?? ""); if (eab != null) { eabKid = eab.Kid; eabKey = eab.Hmac; } else { _log.Error("Unable to retrieve EAB credentials using the provided email address"); } } async Task apiKeyRegistration() { var accessKey = await _input.ReadPassword("API access key"); var eab = await _zeroSsl.Obtain(accessKey ?? ""); if (eab != null) { eabKid = eab.Kid; eabKey = eab.Hmac; } else { _log.Error("Unable to retrieve EAB credentials using the provided API access key"); } } if (!string.IsNullOrWhiteSpace(_accountArguments.EmailAddress)) { await emailRegistration(); } else { var instruction = "ZeroSsl can be used either by setting up a new " + "account using your email address or by connecting it to your existing " + "account using the API access key or pre-generated EAB credentials, which can " + "be obtained from the Developer section of the dashboard."; _input.CreateSpace(); _input.Show(null, instruction); var chosen = await _input.ChooseFromMenu( "How would you like to create the account?", new List <Choice <Func <Task> > >() { Choice.Create(apiKeyRegistration, "API access key"), Choice.Create(emailRegistration, "Email address"), Choice.Create <Func <Task> >(() => Task.CompletedTask, "Input EAB credentials directly") }); await chosen.Invoke(); } } if (eabFlow) { if (string.IsNullOrWhiteSpace(eabKid)) { var instruction = "This ACME endpoint requires an external account. " + "You will need to provide a key identifier and a key to proceed. " + "Please refer to the providers instructions on how to obtain these."; _input.CreateSpace(); _input.Show(null, instruction); eabKid = await _input.RequestString("Key identifier"); } if (string.IsNullOrWhiteSpace(eabKey)) { eabKey = await _input.ReadPassword("Key (base64url encoded)"); } contacts = await GetContacts(runLevel : RunLevel.Unattended); } else { contacts = await GetContacts(); } var signer = _accountManager.DefaultSigner(); try { await CreateAccount(client, signer, contacts, eabAlg, eabKid, eabKey); } catch (AcmeProtocolException apex) { // Some non-ACME compliant server may not support ES256 or other // algorithms, so attempt fallback to RS256 if (apex.ProblemType == acme.ProblemType.BadSignatureAlgorithm && signer.KeyType != "RS256") { signer = _accountManager.NewSigner("RS256"); await CreateAccount(client, signer, contacts, eabAlg, eabKid, eabKey); } else { throw; } } catch (Exception ex) { _log.Error(ex, "Error creating account"); throw; } }
private async Task <AccountDetails?> LoadAccount(AcmeProtocolClient client, IJwsTool?signer) { _log.Verbose("Loading ACME account"); AccountDetails?account = null; if (File.Exists(AccountPath)) { if (signer != null) { _log.Debug("Loading account information from {registrationPath}", AccountPath); account = JsonConvert.DeserializeObject <AccountDetails>(File.ReadAllText(AccountPath)); client.Account = account; // Maybe we should update the account details // on every start of the program to figure out // if it hasn't been suspended or cancelled? // UpdateAccount(); } else { _log.Error("Account found but no valid signer could be loaded"); } } else { _log.Verbose("No account found at {path}, creating new one", AccountPath); try { var(_, filename, content) = await client.GetTermsOfServiceAsync(); _log.Verbose("Terms of service downloaded"); if (!string.IsNullOrEmpty(filename)) { if (!await AcceptTos(filename, content)) { return(null); } } } catch (Exception ex) { _log.Error(ex, "Error getting terms of service"); } var contacts = default(string[]); var externalAccount = default(ExternalAccountBinding); var kid = _accountArguments.EabKeyIdentifier; var key = _accountArguments.EabKey; var alg = _accountArguments.EabAlgorithm ?? "HS256"; var eabFlow = client.Directory?.Meta?.ExternalAccountRequired == "true"; var zeroSslFlow = _settings.BaseUri.Host.Contains("zerossl.com"); // Warn about unneeded EAB if (!eabFlow && !string.IsNullOrWhiteSpace(kid)) { eabFlow = true; _input.CreateSpace(); _input.Show(null, "You have provided an external account binding key, even though " + "the server does not indicate that this is required. We will attempt to register " + "using this key anyway."); } if (zeroSslFlow) { async Task emailRegistration() { var registration = await GetContacts(allowMultiple : false, prefix : ""); var eab = await _zeroSsl.Register(registration.FirstOrDefault() ?? ""); if (eab != null) { kid = eab.Kid; key = eab.Hmac; } else { _log.Error("Unable to retrieve EAB credentials using the provided email address"); } } async Task apiKeyRegistration() { var accessKey = await _input.ReadPassword("API access key"); var eab = await _zeroSsl.Obtain(accessKey ?? ""); if (eab != null) { kid = eab.Kid; key = eab.Hmac; } else { _log.Error("Unable to retrieve EAB credentials using the provided API access key"); } } if (!string.IsNullOrWhiteSpace(_accountArguments.EmailAddress)) { await emailRegistration(); } else { var instruction = "ZeroSsl can be used either by setting up a new " + "account using your email address or by connecting it to your existing " + "account using the API access key or pre-generated EAB credentials, which can " + "be obtained from the Developer section of the dashboard."; _input.CreateSpace(); _input.Show(null, instruction); var chosen = await _input.ChooseFromMenu( "How would you like to create the account?", new List <Choice <Func <Task> > >() { Choice.Create((Func <Task>)apiKeyRegistration, "API access key"), Choice.Create((Func <Task>)emailRegistration, "Email address"), Choice.Create <Func <Task> >(() => Task.CompletedTask, "Input EAB credentials directly") }); await chosen.Invoke(); } } if (eabFlow) { if (string.IsNullOrWhiteSpace(kid)) { var instruction = "This ACME endpoint requires an external account. " + "You will need to provide a key identifier and a key to proceed. " + "Please refer to the providers instructions on how to obtain these."; _input.CreateSpace(); _input.Show(null, instruction); kid = await _input.RequestString("Key identifier"); } if (string.IsNullOrWhiteSpace(key)) { key = await _input.ReadPassword("Key (base64url encoded)"); } externalAccount = new ExternalAccountBinding( alg, JsonConvert.SerializeObject( client.Signer.ExportJwk(), Formatting.None), kid, key ?? "", client.Directory?.NewAccount ?? ""); } else { contacts = await GetContacts(); } try { account = await client.CreateAccountAsync( contacts, termsOfServiceAgreed : true, externalAccountBinding : externalAccount?.Payload() ?? null); } catch (Exception ex) { _log.Error(ex, "Error creating account"); } if (account != null) { try { _log.Debug("Saving account"); var accountKey = new AccountSigner { KeyType = client.Signer.JwsAlg, KeyExport = client.Signer.Export(), }; AccountSigner = accountKey; await File.WriteAllTextAsync(AccountPath, JsonConvert.SerializeObject(account)); } catch (Exception ex) { _log.Error(ex, "Error saving account"); account = null; } } } return(account); }