-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathacme-lw.h
102 lines (78 loc) · 2.86 KB
/
acme-lw.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#pragma once
#include "acme-exception.h"
#include <ctime>
#include <list>
#include <memory>
namespace acme_lw
{
struct Certificate
{
std::string fullchain;
std::string privkey;
// Note that neither of the 'Expiry' calls below require 'privkey'
// to be set; they only rely on 'fullchain'.
/**
Returns the number of seconds since 1970, i.e., epoch time.
Due to openssl quirkiness on older versions (< 1.1.1?) there
might be a little drift from a strictly accurate result, but
it will be close enough for the purpose of determining
whether the certificate needs to be renewed.
*/
::time_t getExpiry() const;
/**
Returns the 'Not After' result that openssl would display if
running the following command.
openssl x509 -noout -in fullchain.pem -text
For example:
May 6 21:15:03 2026 GMT
*/
std::string getExpiryDisplay() const;
};
struct AcmeClientImpl;
/**
* Each AcmeClient assumes access from a single thread, but different
* instances can be instantiated in different threads.
*/
class AcmeClient
{
public:
/**
The signingKey is the Acme account private key used to sign
requests to the acme CA, in pem format.
*/
AcmeClient(const std::string& signingKey);
~AcmeClient();
/**
The implementation of this function allows Let's Encrypt to
verify that the requestor has control of the domain name.
The callback may be called once for each domain name in the
'issueCertificate' call. The callback should do whatever is
needed so that a GET on the 'url' returns the 'keyAuthorization',
(which is what the Acme protocol calls the expected response.)
Note that this function may not be called in cases where
Let's Encrypt already believes the caller has control
of the domain name.
*/
typedef void (*Callback) ( const std::string& domainName,
const std::string& url,
const std::string& keyAuthorization);
/**
Issue a certificate for the domainNames.
The first one will be the 'Subject' (CN) in the certificate.
throws std::exception, usually an instance of acme_lw::AcmeException
*/
Certificate issueCertificate(const std::list<std::string>& domainNames, Callback);
// Contact the Let's Encrypt production or staging environments
enum class Environment { PRODUCTION, STAGING };
/**
Call once before instantiating AcmeClient.
Note that this calls Let's Encrypt servers and so can throw
if they're having issues.
*/
static void init(Environment env = Environment::PRODUCTION);
// Call once before application shutdown.
static void teardown();
private:
std::unique_ptr<AcmeClientImpl> impl_;
};
}