Improve profile support#901
Conversation
|
I was rebasing to master to make integration easier, and it looks like something is failing in the CI pipeline; I don't see how my change would have caused things like package install and DNS record add commands to fail. I did test the new version! |
Don't worry about the record add errors in the "acmedns" tests - I think that's because I'm fixing some issues with the ARI Support merge and the old version of It looks like the profile changes are causing some certificates to be re-created when they shouldn't be (no changes to SANS and not expired). I'll hopefully have time tomorrow to take a look. |
Fix up the profile support to better align with the latest Internet Draft. Also document profile support in the template configuration files.
|
Hey, I just saw this change .. explicitly picking the first profile given by the ACME server when one isn't specified is exactly what you're NOT supposed to do (see the message thread I posted in my original comment on this change), and was my major motivation for this pull request. |
Understood, I'll have a better look at why the response from pebble is causing the getssl to create a new certificate for the test that's failing |
2 participants
Fix up the profile support to better align with the latest Internet Draft. Also document profile support in the template configuration files.
After looking at the I-D more closely and looking at the discussion here, I realized that there is no guarantee in terms of profile ordering and the I-D author said explicitly that a client should not select a default profile. This code reworks things so if no profile is chosen then it will do the right thing.
I also added PROFILE variable entries in the template configuration files.