txacme.client module

ACME client API (like acme.client) implementation for Twisted.

class txacme.client.Client(directory, reactor, key, jws_client)[source]

ACME client interface.

agree_to_tos(regr)[source]

Accept the terms-of-service for a registration.

Parameters:regr (RegistrationResource) – The registration to update.
Returns:The updated registration resource.
Return type:Deferred[RegistrationResource]
answer_challenge(challenge_body, response)[source]

Respond to an authorization challenge.

Parameters:
Returns:

The updated challenge resource.
Return type:

Deferred[ChallengeResource]
fetch_chain(certr, max_length=10)[source]

Fetch the intermediary chain for a certificate.

Parameters:
Return type:

Deferred[List[acme.messages.CertificateResource]]
Returns:

The issuer certificate chain, ordered with the trust anchor last.
classmethod from_url(reactor, url, key, alg=RS256, jws_client=None)[source]

Construct a client from an ACME directory at a given URL.

Parameters:
  • url – The twisted.python.url.URL to fetch the directory from. See txacme.urls for constants for various well-known public directories.
  • reactor – The Twisted reactor to use.
  • key (JWK) – The client key to use.
  • alg – The signing algorithm to use. Needs to be compatible with the type of key used.
  • jws_client (JWSClient) – The underlying client to use, or None to construct one.
Returns:

The constructed client.
Return type:

Deferred[Client]
poll(authzr)[source]

Update an authorization from the server (usually to check its status).

register(new_reg=None)[source]

Create a new registration with the ACME server.

Parameters:new_reg (NewRegistration) – The registration message to use, or None to construct one.
Returns:The registration resource.
Return type:Deferred[RegistrationResource]
request_challenges(identifier)[source]

Create a new authorization.

Parameters:identifier (Identifier) – The identifier to authorize.
Returns:The new authorization resource.
Return type:Deferred[AuthorizationResource]
request_issuance(csr)[source]

Request a certificate.

Authorizations should have already been completed for all of the names requested in the CSR.

Note that unlike acme.client.Client.request_issuance, the certificate resource will have the body data as raw bytes.

See also

txacme.util.csr_for_names

Todo

Delayed issuance is not currently supported, the server must issue the requested certificate immediately.

Parameters:csr – A certificate request message: normally txacme.messages.CertificateRequest or acme.messages.CertificateRequest.
Return type:Deferred[acme.messages.CertificateResource]
Returns:The issued certificate.
classmethod retry_after(response, default=5, _now=<built-in function time>)[source]

Parse the Retry-After value from a response.

update_registration(regr, uri=None)[source]

Submit a registration to the server to update it.

Parameters:
Returns:

The updated registration resource.
Return type:

Deferred[RegistrationResource]
class txacme.client.JWSClient(treq_client, key, alg, user_agent='txacme/0.9.1+0.ga5f1652.dirty')[source]

HTTP client using JWS-signed messages.

get(url, content_type='application/json', **kwargs)[source]

Send GET request and check response.

Parameters:
  • method (str) – The HTTP method to use.
  • url (str) – The URL to make the request to.
Raises:
Returns:

Deferred firing with the checked HTTP response.
head(url, *args, **kwargs)[source]

Send HEAD request without checking the response.

Note that _check_response is not called, as there will be no response body to check.

Parameters:url (str) – The URL to make the request to.
post(url, obj, content_type='application/json', **kwargs)[source]

POST an object and check the response. Retry once if a badNonce error is received.

Parameters:
  • url (str) – The URL to request.
  • obj (JSONDeSerializable) – The serializable payload of the request.
  • content_type (bytes) – The expected content type of the response. By default, JSON.
Raises:
exception txacme.client.ServerError(message, response)[source]

acme.messages.Error isn’t usable as an asynchronous exception, because it doesn’t allow setting the __traceback__ attribute like Twisted wants to do when cleaning Failures. This type exists to wrap such an error, as well as provide access to the original response.

txacme.client.fqdn_identifier(fqdn)[source]

Construct an identifier from an FQDN.

Trivial implementation, just saves on typing.

Parameters:fqdn (str) – The domain name.
Returns:The identifier.
Return type:Identifier
txacme.client.answer_challenge(authzr, client, responders)[source]

Complete an authorization using a responder.

Parameters:
  • auth (AuthorizationResource) – The authorization to complete.
  • client (Client) – The ACME client.
  • responders (List[IResponder]) – A list of responders that can be used to complete the challenge with.
Returns:

A deferred firing when the authorization is verified.
txacme.client.poll_until_valid(authzr, clock, client, timeout=300.0)[source]

Poll an authorization until it is in a state other than pending or processing.

Parameters:
  • auth (AuthorizationResource) – The authorization to complete.
  • clock – The IReactorTime implementation to use; usually the reactor, when not testing.
  • client (Client) – The ACME client.
  • timeout (float) – Maximum time to poll in seconds, before giving up.
Raises:

txacme.client.AuthorizationFailed – if the authorization is no longer in the pending, processing, or valid states.
Raises:

twisted.internet.defer.CancelledError if the authorization was still in pending or processing state when the timeout was reached.
Return type:

Deferred[AuthorizationResource]
Returns:

A deferred firing when the authorization has completed/failed; if the authorization is valid, the authorization resource will be returned.
exception txacme.client.NoSupportedChallenges[source]

No supported challenges were found in an authorization.

exception txacme.client.AuthorizationFailed(authzr)[source]

An attempt was made to complete an authorization, but it failed.