add acme_directory_verify_ssl setting

plinss · Jan 6, 2020 · 77b10f5 · 77b10f5
1 parent c1e44cd
commit 77b10f5
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,8 @@ etc/*
 var/*
 acme*.json
 
+.mypy_cache
+
 *.pem
 *.zip
 *.orig

diff --git a/README.rst b/README.rst
@@ -532,7 +532,7 @@ All of these need only be present when the desired value is different from the d
   The default value is ``true``.
 * ``key_types`` specifies the types of private keys to generate by default.
   The default value is ``['rsa', 'ecdsa']``.
-  * ``key_size`` specifies the size (in bits) for RSA private keys.
+* ``key_size`` specifies the size (in bits) for RSA private keys.
   The default value is ``4096``.
   RSA certificates can be turned off by setting this value to ``0`` or ``null``.
 * ``key_curve`` specifies the curve to use for ECDSA private keys.
@@ -616,6 +616,9 @@ All of these need only be present when the desired value is different from the d
 * ``acme_directory_url`` specifies the primary URL for the ACME service.
   The default value is ``"https://acme-v02.api.letsencrypt.org/directory"``, the Let's Encrypt production API.
   You can substitute the URL for Let's Encrypt's staging environment or another certificate authority.
+* ``acme_directory_verify_ssl`` specifies whether or not to verify the certificate of the ACME service.
+  The default value is ``True``.
+  Setting this to ``False`` is not recommneded, but may be necessary in environments using a private ACME server.
 * ``reload_zone_command`` specifies the command to execute to reload local DNS zone information.
   When using `bindtool`_ the ``"reload-zone.sh"`` script provides this service.
   If not using local DNS updates, you may set this to ``null`` to avoid warnings.

diff --git a/acmebot b/acmebot
@@ -161,7 +161,7 @@ class AcmeManager(object):
     def __init__(self):
         self.script_dir = os.path.dirname(os.path.realpath(__file__))
         self.script_name = os.path.basename(__file__)
-        self.script_version = '2.5.1'
+        self.script_version = '2.6.0'
         self.exit_code = 0
 
         self._color_codes = {
@@ -318,6 +318,7 @@ class AcmeManager(object):
                 'min_run_delay': 300,
                 'max_run_delay': 3600,
                 'acme_directory_url': 'https://acme-v02.api.letsencrypt.org/directory',
+                'acme_directory_verify_ssl': True,
                 'reload_zone_command': '/etc/bind/reload-zone.sh',
                 'nsupdate_command': '/usr/bin/nsupdate',
                 'public_suffix_list_url': 'https://publicsuffix.org/list/public_suffix_list.dat',
@@ -1696,14 +1697,15 @@ class AcmeManager(object):
 
         if (registration):
             try:
-                network = client.ClientNetwork(self.client_key, account=registration, user_agent=self._user_agent())
+                network = client.ClientNetwork(self.client_key, account=registration, user_agent=self._user_agent(),
+                                               verify_ssl=self._setting('acme_directory_verify_ssl'))
                 self.acme_client = client.BackwardsCompatibleClientV2(network, self.client_key, self._setting('acme_directory_url'))
             except Exception as error:
                 self._fatal("Can't connect to ACME service.\n", error, '\n')
         else:
             self._detail('Registering client\n')
             try:
-                network = client.ClientNetwork(self.client_key, user_agent=self._user_agent())
+                network = client.ClientNetwork(self.client_key, user_agent=self._user_agent(), verify_ssl=self._setting('acme_directory_verify_ssl'))
                 self.acme_client = client.BackwardsCompatibleClientV2(network, self.client_key, self._setting('acme_directory_url'))
             except Exception as error:
                 self._fatal("Can't connect to ACME service.\n", error, '\n')