acme-python(1) acme-python acme-python(1)
NAME
acme-python - acme-python Documentation
Contents:
API DOCUMENTATION
Challenges
ACME Identifier Validation Challenges.
class acme.challenges.Challenge(**kwargs: Any <https://docs.python.org/
3/library/typing.html#typing.Any>)
ACME challenge.
TYPES: dict <https://docs.python.org/3/library/stdtypes.html#
dict>[str <https://docs.python.org/3/library/stdtypes.html#str>,
type <https://docs.python.org/3/library/functions.html#
type>[Challenge <#acme.challenges.Challenge>]] = {'dns': <class
'acme.challenges.DNS'>, 'dns-01': <class
'acme.challenges.DNS01'>, 'http-01': <class
'acme.challenges.HTTP01'>}
Types registered for JSON deserialization
classmethod from_json(jobj: Mapping <https://docs.python.org/3/
library/typing.html#typing.Mapping>[str <https://docs.python
.org/3/library/stdtypes.html#str>, Any <https://docs.python.org/
3/library/typing.html#typing.Any>]) -> GenericChallenge |
UnrecognizedChallenge <#acme.challenges.UnrecognizedChallenge>
Deserialize ACME object from valid JSON object.
Raises josepy.errors.UnrecognizedTypeError <https://
josepy.readthedocs.io/en/latest/api/errors.html#
josepy.errors.UnrecognizedTypeError> -- if type of
the ACME object has not been registered.
class acme.challenges.ChallengeResponse(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
ACME challenge response.
TYPES: dict <https://docs.python.org/3/library/stdtypes.html#
dict>[str <https://docs.python.org/3/library/stdtypes.html#str>,
type <https://docs.python.org/3/library/functions.html#
type>[ChallengeResponse <#acme.challenges.ChallengeResponse>]] =
{'dns': <class 'acme.challenges.DNSResponse'>, 'dns-01': <class
'acme.challenges.DNS01Response'>, 'http-01': <class
'acme.challenges.HTTP01Response'>}
Types registered for JSON deserialization
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Get JSON serializable object.
Returns
Serializable JSON object representing ACME typed
object. validate() will almost certainly not
work, due to reasons explained in
josepy.interfaces.IJSONSerializable.
Return type
dict <https://docs.python.org/3/library/stdtypes
.html#dict>
class acme.challenges.UnrecognizedChallenge(jobj: Mapping <https://docs
.python.org/3/library/typing.html#typing.Mapping>[str <https://docs
.python.org/3/library/stdtypes.html#str>, Any <https://docs.python.org/
3/library/typing.html#typing.Any>])
Unrecognized challenge.
ACME specification defines a generic framework for challenges
and defines some standard challenges that are implemented in
this module. However, other implementations (including peers)
might define additional challenge types, which should be ignored
if unrecognized.
Variables
jobj -- Original JSON decoded object.
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Get JSON serializable object.
Returns
Serializable JSON object representing ACME typed
object. validate() will almost certainly not
work, due to reasons explained in
josepy.interfaces.IJSONSerializable.
Return type
dict <https://docs.python.org/3/library/stdtypes
.html#dict>
classmethod from_json(jobj: Mapping <https://docs.python.org/3/
library/typing.html#typing.Mapping>[str <https://docs.python
.org/3/library/stdtypes.html#str>, Any <https://docs.python.org/
3/library/typing.html#typing.Any>]) -> UnrecognizedChallenge <#
acme.challenges.UnrecognizedChallenge>
Deserialize ACME object from valid JSON object.
Raises josepy.errors.UnrecognizedTypeError <https://
josepy.readthedocs.io/en/latest/api/errors.html#
josepy.errors.UnrecognizedTypeError> -- if type of
the ACME object has not been registered.
class acme.challenges.KeyAuthorizationChallengeResponse(**kwargs: Any
<https://docs.python.org/3/library/typing.html#typing.Any>)
Response to Challenges based on Key Authorization.
Parameters
key_authorization (str <https://docs.python.org/3/
library/stdtypes.html#str>)
verify(chall: KeyAuthorizationChallenge <#acme.challenges
.KeyAuthorizationChallenge>, account_public_key: JWK <https://
josepy.readthedocs.io/en/latest/api/jwk.html#josepy.jwk.JWK>) ->
bool <https://docs.python.org/3/library/functions.html#bool>
Verify the key authorization.
Parameters
o chall (KeyAuthorization) -- Challenge that
corresponds to this response.
o account_public_key (JWK)
Returns
True iff verification of the key authorization was
successful.
Return type
bool <https://docs.python.org/3/library/functions
.html#bool>
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Get JSON serializable object.
Returns
Serializable JSON object representing ACME typed
object. validate() will almost certainly not
work, due to reasons explained in
josepy.interfaces.IJSONSerializable.
Return type
dict <https://docs.python.org/3/library/stdtypes
.html#dict>
class acme.challenges.KeyAuthorizationChallenge(**kwargs: Any <https://
docs.python.org/3/library/typing.html#typing.Any>)
Challenge based on Key Authorization.
Parameters
o response_cls -- Subclass of
KeyAuthorizationChallengeResponse that will be used to
generate response.
o typ (str <https://docs.python.org/3/library/stdtypes
.html#str>) -- type of the challenge
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
NotImplemented
Type of the object. Subclasses must override.
key_authorization(account_key: JWK <https://josepy.readthedocs
.io/en/latest/api/jwk.html#josepy.jwk.JWK>) -> str <https://docs
.python.org/3/library/stdtypes.html#str>
Generate Key Authorization.
Parameters
account_key (JWK)
Rtype str
response(account_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>) ->
KeyAuthorizationChallengeResponse <#acme.challenges
.KeyAuthorizationChallengeResponse>
Generate response to the challenge.
Parameters
account_key (JWK)
Returns
Response (initialized response_cls) to the
challenge.
Return type
KeyAuthorizationChallengeResponse <#acme
.challenges.KeyAuthorizationChallengeResponse>
abstractmethod validation(account_key: JWK <https://josepy
.readthedocs.io/en/latest/api/jwk.html#josepy.jwk.JWK>,
**kwargs: Any <https://docs.python.org/3/library/typing.html#
typing.Any>) -> Any <https://docs.python.org/3/library/typing
.html#typing.Any>
Generate validation for the challenge.
Subclasses must implement this method, but they are
likely to return completely different data structures,
depending on what's necessary to complete the challenge.
Interpretation of that return value must be known to the
caller.
Parameters
account_key (JWK)
Returns
Challenge-specific validation.
response_and_validation(account_key: JWK <https://josepy
.readthedocs.io/en/latest/api/jwk.html#josepy.jwk.JWK>, *args:
Any <https://docs.python.org/3/library/typing.html#typing.Any>,
**kwargs: Any <https://docs.python.org/3/library/typing.html#
typing.Any>) -> tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>[KeyAuthorizationChallengeResponse <#acme
.challenges.KeyAuthorizationChallengeResponse>, Any <https://
docs.python.org/3/library/typing.html#typing.Any>]
Generate response and validation.
Convenience function that return results of response and
validation.
Parameters
account_key (JWK)
Return type
tuple <https://docs.python.org/3/library/stdtypes
.html#tuple>
class acme.challenges.DNS01Response(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
ACME dns-01 challenge response.
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'dns-01'
Type of the object. Subclasses must override.
simple_verify(chall: DNS01 <#acme.challenges.DNS01>, domain: str
<https://docs.python.org/3/library/stdtypes.html#str>,
account_public_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>) -> bool <https://docs
.python.org/3/library/functions.html#bool>
Simple verify.
This method no longer checks DNS records and is a simple
wrapper around KeyAuthorizationChallengeResponse.verify.
Parameters
o chall (challenges.DNS01 <#acme.challenges
.DNS01>) -- Corresponding challenge.
o domain (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Domain name being
verified.
o account_public_key (JWK) -- Public key for the
key pair being authorized.
Returns
True iff verification of the key authorization was
successful.
Return type
bool <https://docs.python.org/3/library/functions
.html#bool>
class acme.challenges.DNS01(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME dns-01 challenge.
response_cls
alias of DNS01Response
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'dns-01'
Type of the object. Subclasses must override.
LABEL = '_acme-challenge'
Label clients prepend to the domain name being validated.
validation(account_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>, **unused_kwargs: Any
<https://docs.python.org/3/library/typing.html#typing.Any>) ->
str <https://docs.python.org/3/library/stdtypes.html#str>
Generate validation.
Parameters
account_key (JWK)
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
validation_domain_name(name: str <https://docs.python.org/3/
library/stdtypes.html#str>) -> str <https://docs.python.org/3/
library/stdtypes.html#str>
Domain name for TXT validation record.
Parameters
name (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Domain name being
validated.
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
class acme.challenges.HTTP01Response(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
ACME http-01 challenge response.
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'http-01'
Type of the object. Subclasses must override.
PORT = 80
Verification port as defined by the protocol.
You can override it (e.g. for testing) by passing port to
simple_verify.
WHITESPACE_CUTSET = '\n\r\t '
Whitespace characters which should be ignored at the end
of the body.
simple_verify(chall: HTTP01 <#acme.challenges.HTTP01>, domain:
str <https://docs.python.org/3/library/stdtypes.html#str>,
account_public_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>, port: int <https://docs
.python.org/3/library/functions.html#int> | None <https://docs
.python.org/3/library/constants.html#None> = None, timeout: int
<https://docs.python.org/3/library/functions.html#int> = 30) ->
bool <https://docs.python.org/3/library/functions.html#bool>
Simple verify.
Parameters
o chall (challenges.SimpleHTTP) -- Corresponding
challenge.
o domain (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Domain name being
verified.
o account_public_key (JWK) -- Public key for the
key pair being authorized.
o port (int <https://docs.python.org/3/library/
functions.html#int>) -- Port used in the
validation.
o timeout (int <https://docs.python.org/3/library/
functions.html#int>) -- Timeout in seconds.
Returns
True iff validation with the files currently
served by the HTTP server is successful.
Return type
bool <https://docs.python.org/3/library/functions
.html#bool>
class acme.challenges.HTTP01(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME http-01 challenge.
response_cls
alias of HTTP01Response
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'http-01'
Type of the object. Subclasses must override.
URI_ROOT_PATH = '.well-known/acme-challenge'
URI root path for the server provisioned resource.
property path: str <https://docs.python.org/3/library/stdtypes
.html#str>
Path (starting with '/') for provisioned resource.
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
uri(domain: str <https://docs.python.org/3/library/stdtypes
.html#str>) -> str <https://docs.python.org/3/library/stdtypes
.html#str>
Create an URI to the provisioned resource.
Forms an URI to the HTTPS server provisioned resource
(containing token).
Parameters
domain (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Domain name being verified.
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
validation(account_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>, **unused_kwargs: Any
<https://docs.python.org/3/library/typing.html#typing.Any>) ->
str <https://docs.python.org/3/library/stdtypes.html#str>
Generate validation.
Parameters
account_key (JWK)
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
class acme.challenges.DNS(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME "dns" challenge.
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'dns' Type of the object. Subclasses must override.
LABEL = '_acme-challenge'
Label clients prepend to the domain name being validated.
gen_validation(account_key: JWK <https://josepy.readthedocs.io/
en/latest/api/jwk.html#josepy.jwk.JWK>, alg: JWASignature
<https://josepy.readthedocs.io/en/latest/api/jwa.html#josepy.jwa
.JWASignature> = RS256, **kwargs: Any <https://docs.python.org/
3/library/typing.html#typing.Any>) -> JWS <https://josepy
.readthedocs.io/en/latest/api/jws.html#josepy.jws.JWS>
Generate validation.
Parameters
o account_key (.JWK) -- Private account key.
o alg (.JWA)
Returns
This challenge wrapped in JWS <#acme.jws.JWS>
Return type
.JWS
check_validation(validation: JWS <https://josepy.readthedocs.io/
en/latest/api/jws.html#josepy.jws.JWS>, account_public_key: JWK
<https://josepy.readthedocs.io/en/latest/api/jwk.html#josepy.jwk
.JWK>) -> bool <https://docs.python.org/3/library/functions
.html#bool>
Check validation.
Parameters
o validation (JWS <#acme.jws.JWS>)
o account_public_key (JWK)
Return type
bool <https://docs.python.org/3/library/functions
.html#bool>
gen_response(account_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>, **kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>) -> DNSResponse <#
acme.challenges.DNSResponse>
Generate response.
Parameters
o account_key (.JWK) -- Private account key.
o alg (.JWA)
Return type
DNSResponse <#acme.challenges.DNSResponse>
validation_domain_name(name: str <https://docs.python.org/3/
library/stdtypes.html#str>) -> str <https://docs.python.org/3/
library/stdtypes.html#str>
Domain name for TXT validation record.
Parameters
name (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Domain name being
validated.
class acme.challenges.DNSResponse(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
ACME "dns" challenge response.
Parameters
validation (JWS <#acme.jws.JWS>)
typ: str <https://docs.python.org/3/library/stdtypes.html#str> =
'dns' Type of the object. Subclasses must override.
check_validation(chall: DNS <#acme.challenges.DNS>,
account_public_key: JWK <https://josepy.readthedocs.io/en/
latest/api/jwk.html#josepy.jwk.JWK>) -> bool <https://docs
.python.org/3/library/functions.html#bool>
Check validation.
Parameters
o chall (challenges.DNS <#acme.challenges.DNS>)
o account_public_key (JWK)
Return type
bool <https://docs.python.org/3/library/functions
.html#bool>
Client
ACME client API.
class acme.client.ClientV2(directory: Directory <#acme.messages
.Directory>, net: ClientNetwork <#acme.client.ClientNetwork>)
ACME client for a v2 API.
Variables
o directory (messages.Directory <#acme.messages
.Directory>)
o net (.ClientNetwork) -- Client network.
new_account(new_account: NewRegistration <#acme.messages
.NewRegistration>) -> RegistrationResource <#acme.messages
.RegistrationResource>
Register.
Parameters
new_account (.NewRegistration)
Raises .ConflictError -- in case the account already
exists
Returns
Registration Resource.
Return type
RegistrationResource <#acme.messages
.RegistrationResource>
query_registration(regr: RegistrationResource <#acme.messages
.RegistrationResource>) -> RegistrationResource <#acme.messages
.RegistrationResource>
Query server about registration.
Parameters
regr (messages.RegistrationResource <#acme
.messages.RegistrationResource>) -- Existing
Registration Resource.
update_registration(regr: RegistrationResource <#acme.messages
.RegistrationResource>, update: Registration <#acme.messages
.Registration> | None <https://docs.python.org/3/library/
constants.html#None> = None) -> RegistrationResource <#acme
.messages.RegistrationResource>
Update registration.
Parameters
o regr (messages.RegistrationResource <#acme
.messages.RegistrationResource>) -- Registration
Resource.
o update (messages.Registration <#acme.messages
.Registration>) -- Updated body of the resource.
If not provided, body will be taken from regr.
Returns
Updated Registration Resource.
Return type
RegistrationResource <#acme.messages
.RegistrationResource>
new_order(csr_pem: bytes <https://docs.python.org/3/library/
stdtypes.html#bytes>, profile: str <https://docs.python.org/3/
library/stdtypes.html#str> | None <https://docs.python.org/3/
library/constants.html#None> = None) -> OrderResource <#acme
.messages.OrderResource>
Request a new Order object from the server.
Parameters
csr_pem (bytes <https://docs.python.org/3/library/
stdtypes.html#bytes>) -- A CSR in PEM format.
Returns
The newly created order.
Return type
OrderResource <#acme.messages.OrderResource>
poll(authzr: AuthorizationResource <#acme.messages
.AuthorizationResource>) -> tuple <https://docs.python.org/3/
library/stdtypes.html#tuple>[AuthorizationResource <#acme
.messages.AuthorizationResource>, Response]
Poll Authorization Resource for status.
Parameters
authzr (AuthorizationResource <#acme.messages
.AuthorizationResource>) -- Authorization Resource
Returns
Updated Authorization Resource and HTTP response.
Return type
(AuthorizationResource <#acme.messages
.AuthorizationResource>, requests.Response)
poll_and_finalize(orderr: OrderResource <#acme.messages
.OrderResource>, deadline: datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime> | None <https://docs
.python.org/3/library/constants.html#None> = None) ->
OrderResource <#acme.messages.OrderResource>
Poll authorizations and finalize the order.
If no deadline is provided, this method will timeout
after 90 seconds.
Parameters
o orderr (messages.OrderResource <#acme.messages
.OrderResource>) -- order to finalize
o deadline (datetime.datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>)
-- when to stop polling and timeout
Returns
finalized order
Return type
messages.OrderResource <#acme.messages
.OrderResource>
poll_authorizations(orderr: OrderResource <#acme.messages
.OrderResource>, deadline: datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>) -> OrderResource <#
acme.messages.OrderResource>
Poll Order Resource for status.
begin_finalization(orderr: OrderResource <#acme.messages
.OrderResource>) -> OrderResource <#acme.messages.OrderResource>
Start the process of finalizing an order.
Parameters
o orderr (messages.OrderResource <#acme.messages
.OrderResource>) -- order to finalize
o deadline (datetime.datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>)
-- when to stop polling and timeout
Returns
updated order
Return type
messages.OrderResource <#acme.messages
.OrderResource>
Raises .messages.Error -- If server indicates order is
not yet in ready state, it will return a 403
(Forbidden) error with a problem document/error
code of type "orderNotReady"
poll_finalization(orderr: OrderResource <#acme.messages
.OrderResource>, deadline: datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>,
fetch_alternative_chains: bool <https://docs.python.org/3/
library/functions.html#bool> = False) -> OrderResource <#acme
.messages.OrderResource>
Poll an order that has been finalized for its status. If
it becomes valid, obtain the certificate.
If a finalization request previously returned
orderNotReady, poll until ready, send a new finalization
request, and continue polling until valid as above.
Returns
finalized order (with certificate)
Return type
messages.OrderResource <#acme.messages
.OrderResource>
finalize_order(orderr: OrderResource <#acme.messages
.OrderResource>, deadline: datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>,
fetch_alternative_chains: bool <https://docs.python.org/3/
library/functions.html#bool> = False) -> OrderResource <#acme
.messages.OrderResource>
Finalize an order and obtain a certificate.
Parameters
o orderr (messages.OrderResource <#acme.messages
.OrderResource>) -- order to finalize
o deadline (datetime.datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>)
-- when to stop polling and timeout
o fetch_alternative_chains (bool <https://docs
.python.org/3/library/functions.html#bool>) --
whether to also fetch alternative certificate
chains
Returns
finalized order
Return type
messages.OrderResource <#acme.messages
.OrderResource>
renewal_time(cert_pem: bytes <https://docs.python.org/3/library/
stdtypes.html#bytes>) -> tuple <https://docs.python.org/3/
library/stdtypes.html#tuple>[datetime <https://docs.python.org/
3/library/datetime.html#datetime.datetime> | None <https://docs
.python.org/3/library/constants.html#None>, datetime <https://
docs.python.org/3/library/datetime.html#datetime.datetime>]
Return an appropriate time to attempt renewal of the
certificate, and the next time to ask the ACME server for
renewal info.
If the certificate has already expired, renewal info
isn't checked. Instead, the certificate's notAfter time
is returned and the certificate should be immediately
renewed.
If the ACME directory has a "renewalInfo" field, the
response will be based on a fetch of the renewal info
resource for the certificate (<https://www.ietf.org/
archive/id/draft-ietf-acme-ari-08.html>).
If there is no "renewalInfo" field, this function will
return a tuple of None, and the next time to ask the ACME
server for renewal info.
This function may make other network calls in the future
(e.g., OCSP or CRL).
Parameters
cert_pem (bytes <https://docs.python.org/3/
library/stdtypes.html#bytes>) -- cert as pem file
Returns
Tuple of time to attempt renewal, next time to ask
for renewal info
Raises errors.ARIError <#acme.errors.ARIError> -- If an
error occurs fetching ARI from the server.
Explicit exception chaining is used so the
original error can be accessed through the
__cause__ attribute on the ARIError if desired.
revoke(cert: Certificate, rsn: int <https://docs.python.org/3/
library/functions.html#int>) -> None <https://docs.python.org/3/
library/constants.html#None>
Revoke certificate.
Parameters
o cert (x509.Certificate) -- x509.Certificate
o rsn (int <https://docs.python.org/3/library/
functions.html#int>) -- Reason code for
certificate revocation.
Raises .ClientError -- If revocation is unsuccessful.
external_account_required() -> bool <https://docs.python.org/3/
library/functions.html#bool>
Checks if ACME server requires External Account Binding
authentication.
classmethod get_directory(url: str <https://docs.python.org/3/
library/stdtypes.html#str>, net: ClientNetwork <#acme.client
.ClientNetwork>) -> Directory <#acme.messages.Directory>
Retrieves the ACME directory (RFC 8555 section 7.1.1)
from the ACME server. :param str url: the URL where the
ACME directory is available :param ClientNetwork net: the
ClientNetwork to use to make the request
Returns
the ACME directory object
Return type
messages.Directory <#acme.messages.Directory>
deactivate_registration(regr: RegistrationResource <#acme
.messages.RegistrationResource>) -> RegistrationResource <#acme
.messages.RegistrationResource>
Deactivate registration.
Parameters
regr (messages.RegistrationResource <#acme
.messages.RegistrationResource>) -- The
Registration Resource to be deactivated.
Returns
The Registration resource that was deactivated.
Return type
RegistrationResource <#acme.messages
.RegistrationResource>
deactivate_authorization(authzr: AuthorizationResource <#acme
.messages.AuthorizationResource>) -> AuthorizationResource <#
acme.messages.AuthorizationResource>
Deactivate authorization.
Parameters
authzr (messages.AuthorizationResource <#acme
.messages.AuthorizationResource>) -- The
Authorization resource to be deactivated.
Returns
The Authorization resource that was deactivated.
Return type
AuthorizationResource <#acme.messages
.AuthorizationResource>
answer_challenge(challb: ChallengeBody <#acme.messages
.ChallengeBody>, response: ChallengeResponse <#acme.challenges
.ChallengeResponse>) -> ChallengeResource <#acme.messages
.ChallengeResource>
Answer challenge.
Parameters
o challb (ChallengeBody <#acme.messages
.ChallengeBody>) -- Challenge Resource body.
o response (challenges.ChallengeResponse <#acme
.challenges.ChallengeResponse>) -- Corresponding
Challenge response
Returns
Challenge Resource with updated body.
Return type
ChallengeResource <#acme.messages
.ChallengeResource>
Raises .UnexpectedUpdate --
classmethod retry_after(response: Response, default: int
<https://docs.python.org/3/library/functions.html#int>) ->
datetime <https://docs.python.org/3/library/datetime.html#
datetime.datetime>
Compute next poll time based on response Retry-After
header.
Handles integers and various datestring formats per
<https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#
sec14.37>
Parameters
o response (requests.Response) -- Response from
poll.
o default (int <https://docs.python.org/3/library/
functions.html#int>) -- Default value (in
seconds), used when Retry-After header is not
present or invalid.
Returns
Time point when next poll should be performed.
Return type
datetime.datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>
class acme.client.ClientNetwork(key: JWK <https://josepy.readthedocs
.io/en/latest/api/jwk.html#josepy.jwk.JWK> | None <https://docs.python
.org/3/library/constants.html#None> = None, account:
RegistrationResource <#acme.messages.RegistrationResource> | None
<https://docs.python.org/3/library/constants.html#None> = None, alg:
JWASignature <https://josepy.readthedocs.io/en/latest/api/jwa.html#
josepy.jwa.JWASignature> = RS256, verify_ssl: bool <https://docs.python
.org/3/library/functions.html#bool> = True, user_agent: str <https://
docs.python.org/3/library/stdtypes.html#str> = 'acme-python', timeout:
int <https://docs.python.org/3/library/functions.html#int> = 45)
Wrapper around requests that signs POSTs for authentication.
Also adds user agent, and handles Content-Type.
REPLAY_NONCE_HEADER = 'Replay-Nonce'
Initialize.
Parameters
o key (josepy.JWK) -- Account private key.
Required to use .post().
o account (messages.RegistrationResource <#acme
.messages.RegistrationResource>) -- Account
object. Required if you are planning to use
.post() for anything other than creating a new
account; may be set later after registering.
o alg (josepy.JWASignature) -- Algorithm to use in
signing JWS.
o verify_ssl (bool <https://docs.python.org/3/
library/functions.html#bool>) -- Whether to
verify certificates on SSL connections.
o user_agent (str <https://docs.python.org/3/
library/stdtypes.html#str>) -- String to send as
User-Agent header.
o timeout (int <https://docs.python.org/3/library/
functions.html#int>) -- Timeout for requests.
head(*args: Any <https://docs.python.org/3/library/typing.html#
typing.Any>, **kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>) -> Response
Send HEAD request without checking the response.
Note, that _check_response is not called, as it is
expected that status code other than successfully 2xx
will be returned, or messages2.Error will be raised by
the server.
get(url: str <https://docs.python.org/3/library/stdtypes.html#
str>, content_type: str <https://docs.python.org/3/library/
stdtypes.html#str> = 'application/json', **kwargs: Any <https://
docs.python.org/3/library/typing.html#typing.Any>) -> Response
Send GET request and check response.
post(*args: Any <https://docs.python.org/3/library/typing.html#
typing.Any>, **kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>) -> Response
POST object wrapped in JWS <#acme.jws.JWS> and check
response.
If the server responded with a badNonce error, the
request will be retried once.
Crypto_util
Crypto utilities.
class acme.crypto_util.Format(*values)
File format to be used when parsing or serializing X.509
structures.
Backwards compatible with the FILETYPE_ASN1 and FILETYPE_PEM
constants from pyOpenSSL.
to_cryptography_encoding() -> Encoding
Converts the Format to the corresponding cryptography
Encoding.
acme.crypto_util.make_csr(private_key_pem: bytes <https://docs.python
.org/3/library/stdtypes.html#bytes>, domains: set <https://docs.python
.org/3/library/stdtypes.html#set>[str <https://docs.python.org/3/
library/stdtypes.html#str>] | list <https://docs.python.org/3/library/
stdtypes.html#list>[str <https://docs.python.org/3/library/stdtypes
.html#str>] | None <https://docs.python.org/3/library/constants.html#
None> = None, must_staple: bool <https://docs.python.org/3/library/
functions.html#bool> = False, ipaddrs: list <https://docs.python.org/3/
library/stdtypes.html#list>[IPv4Address <https://docs.python.org/3/
library/ipaddress.html#ipaddress.IPv4Address> | IPv6Address <https://
docs.python.org/3/library/ipaddress.html#ipaddress.IPv6Address>] | None
<https://docs.python.org/3/library/constants.html#None> = None) ->
bytes <https://docs.python.org/3/library/stdtypes.html#bytes>
Generate a CSR containing domains or IPs as subjectAltNames.
Parameters are ordered this way for backwards compatibility when
called using positional arguments.
Parameters
o private_key_pem (buffer) -- Private key, in PEM PKCS#8
format.
o domains (list <https://docs.python.org/3/library/
stdtypes.html#list>) -- List of DNS names to include in
subjectAltNames of CSR.
o must_staple (bool <https://docs.python.org/3/library/
functions.html#bool>) -- Whether to include the TLS
Feature extension (aka OCSP Must Staple: <https://tools
.ietf.org/html/rfc7633>).
o ipaddrs (list <https://docs.python.org/3/library/
stdtypes.html#list>) -- List of IPaddress(type
ipaddress.IPv4Address or ipaddress.IPv6Address) names
to include in subbjectAltNames of CSR.
Returns
buffer PEM-encoded Certificate Signing Request.
acme.crypto_util.get_names_from_subject_and_extensions(subject: Name,
exts: Extensions) -> list <https://docs.python.org/3/library/stdtypes
.html#list>[str <https://docs.python.org/3/library/stdtypes.html#str>]
Gets all DNS SANs as well as the first Common Name from subject.
Parameters
o subject (cryptography.x509.Name) -- Name of the x509
object, which may include Common Name
o exts (cryptography.x509.Extensions) -- Extensions of
the x509 object, which may include SANs
Returns
List of DNS Subject Alternative Names and first Common
Name
Return type
list <https://docs.python.org/3/library/stdtypes.html#
list> of str <https://docs.python.org/3/library/stdtypes
.html#str>
acme.crypto_util.get_identifiers_from_x509(subject: Name, exts:
Extensions) -> tuple <https://docs.python.org/3/library/stdtypes.html#
tuple>[list <https://docs.python.org/3/library/stdtypes.html#list>[str
<https://docs.python.org/3/library/stdtypes.html#str>], list <https://
docs.python.org/3/library/stdtypes.html#list>[str <https://docs.python
.org/3/library/stdtypes.html#str>]]
Gets all DNS and/or IP address SANs as well as the first Common
Name from subject.
The CN will be first in the list of DNS names, if present.
Parameters
o subject (cryptography.x509.Name) -- Name of the x509
object, which may include Common Name
o exts (cryptography.x509.Extensions) -- Extensions of
the x509 object, which may include SANs
Returns
Tuple containing DNS names and IP addresses.
acme.crypto_util.make_self_signed_cert(private_key: Ed25519PrivateKey |
Ed448PrivateKey | RSAPrivateKey | DSAPrivateKey |
EllipticCurvePrivateKey, domains: list <https://docs.python.org/3/
library/stdtypes.html#list>[str <https://docs.python.org/3/library/
stdtypes.html#str>] | None <https://docs.python.org/3/library/constants
.html#None> = None, not_before: datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime> | None <https://docs.python
.org/3/library/constants.html#None> = None, validity: timedelta
<https://docs.python.org/3/library/datetime.html#datetime.timedelta> |
None <https://docs.python.org/3/library/constants.html#None> = None,
force_san: bool <https://docs.python.org/3/library/functions.html#bool>
= True, extensions: list <https://docs.python.org/3/library/stdtypes
.html#list>[Extension] | None <https://docs.python.org/3/library/
constants.html#None> = None, ips: list <https://docs.python.org/3/
library/stdtypes.html#list>[IPv4Address <https://docs.python.org/3/
library/ipaddress.html#ipaddress.IPv4Address> | IPv6Address <https://
docs.python.org/3/library/ipaddress.html#ipaddress.IPv6Address>] | None
<https://docs.python.org/3/library/constants.html#None> = None) ->
Certificate
Generate new self-signed certificate. :param buffer
private_key_pem: Private key, in PEM PKCS#8 format. :type
domains: list <https://docs.python.org/3/library/stdtypes.html#
list> of str <https://docs.python.org/3/library/stdtypes.html#
str> :param int not_before: A datetime after which the cert is
valid. If no timezone is specified, UTC is assumed :type
not_before: datetime.datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime> :param validity:
Duration for which the cert will be valid. Defaults to 1 week
:type validity: datetime.timedelta <https://docs.python.org/3/
library/datetime.html#datetime.timedelta> :param buffer
private_key_pem: One of
cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes
:param bool force_san: :param extensions: List of additional
extensions to include in the cert. :type extensions: list
<https://docs.python.org/3/library/stdtypes.html#list> of
x509.Extension[x509.ExtensionType] :type ips: list <https://docs
.python.org/3/library/stdtypes.html#list> of
(ipaddress.IPv4Address <https://docs.python.org/3/library/
ipaddress.html#ipaddress.IPv4Address> or ipaddress.IPv6Address
<https://docs.python.org/3/library/ipaddress.html#ipaddress
.IPv6Address>) If more than one domain is provided, all of the
domains are put into subjectAltName X.509 extension and first
domain is set as the subject CN. If only one domain is provided
no subjectAltName extension is used, unless force_san is True.
acme.crypto_util.dump_cryptography_chain(chain:
list[~cryptography.hazmat.bindings._rust.x509.Certificate], encoding:
~typing.Literal[Encoding.PEM, Encoding.DER] = <Encoding.PEM: 'PEM'>) ->
bytes <https://docs.python.org/3/library/stdtypes.html#bytes>
Dump certificate chain into a bundle.
Parameters
chain (list <https://docs.python.org/3/library/stdtypes
.html#list>) -- List of cryptography.x509.Certificate.
Returns
certificate chain bundle
Return type
bytes <https://docs.python.org/3/library/stdtypes.html#
bytes>
Deprecated .. deprecated: 3.2.1
Errors
ACME errors.
exception acme.errors.Error
Generic ACME error.
exception acme.errors.DependencyError
Dependency error
exception acme.errors.SchemaValidationError
JSON schema ACME object validation error.
exception acme.errors.ClientError
Network error.
exception acme.errors.UnexpectedUpdate
Unexpected update error.
exception acme.errors.NonceError
Server response nonce error.
exception acme.errors.BadNonce(nonce: str <https://docs.python.org/3/
library/stdtypes.html#str>, error: Exception <https://docs.python.org/
3/library/exceptions.html#Exception>, *args: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Bad nonce error.
exception acme.errors.MissingNonce(response: Response, *args: Any
<https://docs.python.org/3/library/typing.html#typing.Any>)
Missing nonce error.
According to the specification an "ACME server MUST include an
Replay-Nonce header field in each successful response to a POST
it provides to a client (...)".
Variables
~.response (requests.Response) -- HTTP Response
exception acme.errors.PollError(exhausted: set <https://docs.python
.org/3/library/stdtypes.html#set>[messages.AuthorizationResource <#acme
.messages.AuthorizationResource>], updated: Mapping <https://docs
.python.org/3/library/typing.html#typing
.Mapping>[messages.AuthorizationResource <#acme.messages
.AuthorizationResource>, messages.AuthorizationResource <#acme.messages
.AuthorizationResource>])
Generic error when polling for authorization fails.
This might be caused by either timeout (exhausted will be
non-empty) or by some authorization being invalid.
Variables
o exhausted -- Set of AuthorizationResource <#acme
.messages.AuthorizationResource> that didn't finish
within max allowed attempts.
o updated -- Mapping from original AuthorizationResource
<#acme.messages.AuthorizationResource> to the most
recently updated one
property timeout: bool <https://docs.python.org/3/library/
functions.html#bool>
Was the error caused by timeout?
exception acme.errors.ValidationError(failed_authzrs: list <https://
docs.python.org/3/library/stdtypes.html#
list>[messages.AuthorizationResource <#acme.messages
.AuthorizationResource>])
Error for authorization failures. Contains a list of
authorization resources, each of which is invalid and should
have an error field.
exception acme.errors.TimeoutError
Error for when polling an authorization or an order times out.
exception acme.errors.IssuanceError(error: messages.Error <#acme
.messages.Error>)
Error sent by the server after requesting issuance of a
certificate.
exception acme.errors.ConflictError(location: str <https://docs.python
.org/3/library/stdtypes.html#str>)
Error for when the server returns a 409 (Conflict) HTTP status.
In the version of ACME implemented by Boulder, this is used to
find an account if you only have the private key, but don't know
the account URL.
Also used in V2 of the ACME client for the same purpose.
exception acme.errors.WildcardUnsupportedError
Error for when a wildcard is requested but is unsupported by
ACME CA.
exception acme.errors.ARIError(message: str <https://docs.python.org/3/
library/stdtypes.html#str>, retry_after: datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>)
An error occurred during an ARI request and we want to suggest a
Retry-After time.
Fields
ACME JSON fields.
class acme.fields.Fixed(json_name: str <https://docs.python.org/3/
library/stdtypes.html#str>, value: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
Fixed field.
decode(value: Any <https://docs.python.org/3/library/typing
.html#typing.Any>) -> Any <https://docs.python.org/3/library/
typing.html#typing.Any>
Decode a value, optionally with context JSON object.
encode(value: Any <https://docs.python.org/3/library/typing
.html#typing.Any>) -> Any <https://docs.python.org/3/library/
typing.html#typing.Any>
Encode a value, optionally with context JSON object.
class acme.fields.RFC3339Field(json_name: str <https://docs.python.org/
3/library/stdtypes.html#str>, default: Any <https://docs.python.org/3/
library/typing.html#typing.Any> = None, omitempty: bool <https://docs
.python.org/3/library/functions.html#bool> = False, decoder: Callable
<https://docs.python.org/3/library/typing.html#typing.Callable>[[Any
<https://docs.python.org/3/library/typing.html#typing.Any>], Any
<https://docs.python.org/3/library/typing.html#typing.Any>] | None
<https://docs.python.org/3/library/constants.html#None> = None,
encoder: Callable <https://docs.python.org/3/library/typing.html#typing
.Callable>[[Any <https://docs.python.org/3/library/typing.html#typing
.Any>], Any <https://docs.python.org/3/library/typing.html#typing.Any>]
| None <https://docs.python.org/3/library/constants.html#None> = None)
RFC3339 field encoder/decoder.
Handles decoding/encoding between RFC3339 strings and aware (not
naive) datetime.datetime <https://docs.python.org/3/library/
datetime.html#datetime.datetime> objects (e.g.
datetime.datetime.now(datetime.timezone.utc)).
classmethod default_encoder(value: datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>) -> str
<https://docs.python.org/3/library/stdtypes.html#str>
Default (passthrough) encoder.
classmethod default_decoder(value: str <https://docs.python.org/
3/library/stdtypes.html#str>) -> datetime <https://docs.python
.org/3/library/datetime.html#datetime.datetime>
Default decoder.
Recursively deserialize into immutable types (
josepy.util.frozendict <https://josepy.readthedocs.io/en/
latest/api/util.html#josepy.util.frozendict> instead of
dict(), tuple() instead of list()).
acme.fields.fixed(json_name: str <https://docs.python.org/3/library/
stdtypes.html#str>, value: Any <https://docs.python.org/3/library/
typing.html#typing.Any>) -> Any <https://docs.python.org/3/library/
typing.html#typing.Any>
Generates a type-friendly Fixed field.
acme.fields.rfc3339(json_name: str <https://docs.python.org/3/library/
stdtypes.html#str>, omitempty: bool <https://docs.python.org/3/library/
functions.html#bool> = False) -> Any <https://docs.python.org/3/
library/typing.html#typing.Any>
Generates a type-friendly RFC3339 field.
JOSE
The acme.jose module was moved to its own package "josepy <https://
josepy.readthedocs.io/>". Please refer to its documentation there.
JWS
ACME-specific JWS.
The JWS implementation in josepy only implements the base JOSE
standard. In order to support the new header fields defined in ACME,
this module defines some ACME-specific classes that layer on top of
josepy.
class acme.jws.Header(**kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>)
ACME-specific JOSE Header. Implements nonce, kid, and url.
class acme.jws.Signature(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME-specific Signature. Uses ACME-specific Header for customer
fields.
header_cls
alias of Header
class acme.jws.JWS(**kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>)
ACME-specific JWS. Includes none, url, and kid in protected
header.
signature_cls
alias of Signature
classmethod sign(payload: bytes <https://docs.python.org/3/
library/stdtypes.html#bytes>, key: JWK <https://josepy
.readthedocs.io/en/latest/api/jwk.html#josepy.jwk.JWK>, alg:
JWASignature <https://josepy.readthedocs.io/en/latest/api/jwa
.html#josepy.jwa.JWASignature>, nonce: bytes <https://docs
.python.org/3/library/stdtypes.html#bytes> | None <https://docs
.python.org/3/library/constants.html#None>, url: str <https://
docs.python.org/3/library/stdtypes.html#str> | None <https://
docs.python.org/3/library/constants.html#None> = None, kid: str
<https://docs.python.org/3/library/stdtypes.html#str> | None
<https://docs.python.org/3/library/constants.html#None> = None)
-> JWS <https://josepy.readthedocs.io/en/latest/api/jws.html#
josepy.jws.JWS>
Sign.
Messages
ACME protocol messages.
acme.messages.is_acme_error(err: BaseException <https://docs.python
.org/3/library/exceptions.html#BaseException>) -> bool <https://docs
.python.org/3/library/functions.html#bool>
Check if argument is an ACME error.
class acme.messages.IdentifierType(name: str <https://docs.python.org/
3/library/stdtypes.html#str>)
ACME identifier type.
class acme.messages.Identifier(**kwargs: Any <https://docs.python.org/
3/library/typing.html#typing.Any>)
ACME identifier.
Variables
o typ (IdentifierType <#acme.messages.IdentifierType>)
o value (str <https://docs.python.org/3/library/stdtypes
.html#str>)
exception acme.messages.Error(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME error.
<https://datatracker.ietf.org/doc/html/rfc7807>
Note: Although Error inherits from JSONObjectWithFields, which
is immutable, we add mutability for Error to comply with the
Python exception API.
Variables
o typ (str <https://docs.python.org/3/library/stdtypes
.html#str>)
o title (str <https://docs.python.org/3/library/stdtypes
.html#str>)
o detail (str <https://docs.python.org/3/library/stdtypes
.html#str>)
o identifier (Identifier <#acme.messages.Identifier>)
o subproblems (tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>) -- An array of ACME Errors which
may be present when the CA returns multiple errors
related to the same request, tuple <https://docs.python
.org/3/library/stdtypes.html#tuple> of Error.
classmethod with_code(code: str <https://docs.python.org/3/
library/stdtypes.html#str>, **kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>) -> Error <#acme.messages
.Error>
Create an Error instance with an ACME Error code.
Str code
An ACME error code, like 'dnssec'.
Kwargs kwargs to pass to Error.
property description: str <https://docs.python.org/3/library/
stdtypes.html#str> | None <https://docs.python.org/3/library/
constants.html#None>
Hardcoded error description based on its type.
Returns
Description if standard ACME error or None.
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
property code: str <https://docs.python.org/3/library/stdtypes
.html#str> | None <https://docs.python.org/3/library/constants
.html#None>
ACME error code.
Basically self.typ without the ERROR_PREFIX.
Returns
error code if standard ACME code or None.
Return type
str <https://docs.python.org/3/library/stdtypes
.html#str>
class acme.messages.Status(name: str <https://docs.python.org/3/
library/stdtypes.html#str>)
ACME "status" field.
class acme.messages.Directory(jobj: Mapping <https://docs.python.org/3/
library/typing.html#typing.Mapping>[str <https://docs.python.org/3/
library/stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>])
Directory.
Directory resources must be accessed by the exact field name in
RFC8555 (section 9.7.5).
class Meta(**kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>)
Directory Meta.
property terms_of_service: str <https://docs.python.org/
3/library/stdtypes.html#str>
URL for the CA TOS
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Partially serialize.
Following the example, partial serialization means the
following:
assert isinstance(Bar().to_partial_json()[0], Foo)
assert isinstance(Bar().to_partial_json()[1], Foo)
# in particular...
assert Bar().to_partial_json() != ['foo', 'foo']
Raises josepy.errors.SerializationError <https://josepy
.readthedocs.io/en/latest/api/errors.html#josepy
.errors.SerializationError> -- in case of any
serialization error.
Returns
Partially serializable object.
classmethod from_json(jobj: MutableMapping <https://docs.python
.org/3/library/typing.html#typing.MutableMapping>[str <https://
docs.python.org/3/library/stdtypes.html#str>, Any <https://docs
.python.org/3/library/typing.html#typing.Any>]) -> Directory <#
acme.messages.Directory>
Deserialize a decoded JSON document.
Parameters
jobj -- Python object, composed of only other
basic data types, as decoded from JSON document.
Not necessarily dict <https://docs.python.org/3/
library/stdtypes.html#dict> (as decoded from "JSON
object" document).
Raises josepy.errors.DeserializationError <https://josepy
.readthedocs.io/en/latest/api/errors.html#josepy
.errors.DeserializationError> -- if decoding was
unsuccessful, e.g. in case of unparseable X509
certificate, or wrong padding in JOSE base64
encoded string, etc.
class acme.messages.Resource(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
ACME Resource.
Variables
body (acme.messages.ResourceBody <#acme.messages
.ResourceBody>) -- Resource body.
class acme.messages.ResourceWithURI(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
ACME Resource with URI.
Variables
uri (str <https://docs.python.org/3/library/stdtypes
.html#str>) -- Location of the resource.
class acme.messages.ResourceBody(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
ACME Resource Body.
class acme.messages.ExternalAccountBinding
ACME External Account Binding
classmethod from_data(account_public_key: JWK <https://josepy
.readthedocs.io/en/latest/api/jwk.html#josepy.jwk.JWK>, kid: str
<https://docs.python.org/3/library/stdtypes.html#str>, hmac_key:
str <https://docs.python.org/3/library/stdtypes.html#str>,
directory: Directory <#acme.messages.Directory>, hmac_alg: str
<https://docs.python.org/3/library/stdtypes.html#str> = 'HS256')
-> dict <https://docs.python.org/3/library/stdtypes.html#
dict>[str <https://docs.python.org/3/library/stdtypes.html#str>,
Any <https://docs.python.org/3/library/typing.html#typing.Any>]
Create External Account Binding Resource from contact
details, kid and hmac.
class acme.messages.Registration(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Registration Resource Body.
Variables
o key (jose.JWK) -- Public key.
o contact (tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>) -- Contact information following
ACME spec, tuple <https://docs.python.org/3/library/
stdtypes.html#tuple> of str <https://docs.python.org/3/
library/stdtypes.html#str>.
o agreement (str <https://docs.python.org/3/library/
stdtypes.html#str>)
classmethod from_data(phone: str <https://docs.python.org/3/
library/stdtypes.html#str> | None <https://docs.python.org/3/
library/constants.html#None> = None, email: str <https://docs
.python.org/3/library/stdtypes.html#str> | None <https://docs
.python.org/3/library/constants.html#None> = None,
external_account_binding: dict <https://docs.python.org/3/
library/stdtypes.html#dict>[str <https://docs.python.org/3/
library/stdtypes.html#str>, Any <https://docs.python.org/3/
library/typing.html#typing.Any>] | None <https://docs.python
.org/3/library/constants.html#None> = None, **kwargs: Any
<https://docs.python.org/3/library/typing.html#typing.Any>) ->
GenericRegistration
Create registration resource from contact details.
The contact keyword being passed to a Registration object
is meaningful, so this function represents empty
iterables in its kwargs by passing on an empty tuple
<https://docs.python.org/3/library/stdtypes.html#tuple>.
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Modify josepy.JSONDeserializable.to_partial_json()
fields_to_partial_json() -> dict <https://docs.python.org/3/
library/stdtypes.html#dict>[str <https://docs.python.org/3/
library/stdtypes.html#str>, Any <https://docs.python.org/3/
library/typing.html#typing.Any>]
Modify
josepy.JSONObjectWithFields.fields_to_partial_json()
property phones: tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>[str <https://docs.python.org/3/library/
stdtypes.html#str>, ...]
All phones found in the contact field.
property emails: tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>[str <https://docs.python.org/3/library/
stdtypes.html#str>, ...]
All emails found in the contact field.
class acme.messages.NewRegistration(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
New registration.
class acme.messages.UpdateRegistration(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Update registration.
class acme.messages.RegistrationResource(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Registration Resource.
Variables
o body (acme.messages.Registration <#acme.messages
.Registration>)
o new_authzr_uri (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Deprecated. Do not use.
o terms_of_service (str <https://docs.python.org/3/
library/stdtypes.html#str>) -- URL for the CA TOS.
class acme.messages.ChallengeBody(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Challenge Resource Body.
Variables
o acme.challenges.Challenge -- Wrapped challenge.
Conveniently, all challenge fields are proxied, i.e.
you can call challb.x to get challb.chall.x contents.
o status (acme.messages.Status <#acme.messages.Status>)
o validated (datetime.datetime <https://docs.python.org/
3/library/datetime.html#datetime.datetime>)
o error (messages.Error <#acme.messages.Error>)
encode(name: str <https://docs.python.org/3/library/stdtypes
.html#str>) -> Any <https://docs.python.org/3/library/typing
.html#typing.Any>
Encode a single field.
Parameters
name (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Name of the field to be
encoded.
Raises
o errors.SerializationError -- if field cannot be
serialized
o errors.Error <#acme.errors.Error> -- if field
could not be found
to_partial_json() -> dict <https://docs.python.org/3/library/
stdtypes.html#dict>[str <https://docs.python.org/3/library/
stdtypes.html#str>, Any <https://docs.python.org/3/library/
typing.html#typing.Any>]
Partially serialize.
Following the example, partial serialization means the
following:
assert isinstance(Bar().to_partial_json()[0], Foo)
assert isinstance(Bar().to_partial_json()[1], Foo)
# in particular...
assert Bar().to_partial_json() != ['foo', 'foo']
Raises josepy.errors.SerializationError <https://josepy
.readthedocs.io/en/latest/api/errors.html#josepy
.errors.SerializationError> -- in case of any
serialization error.
Returns
Partially serializable object.
classmethod fields_from_json(jobj: Mapping <https://docs.python
.org/3/library/typing.html#typing.Mapping>[str <https://docs
.python.org/3/library/stdtypes.html#str>, Any <https://docs
.python.org/3/library/typing.html#typing.Any>]) -> dict
<https://docs.python.org/3/library/stdtypes.html#dict>[str
<https://docs.python.org/3/library/stdtypes.html#str>, Any
<https://docs.python.org/3/library/typing.html#typing.Any>]
Deserialize fields from JSON.
property uri: str <https://docs.python.org/3/library/stdtypes
.html#str>
The URL of this challenge.
class acme.messages.ChallengeResource(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Challenge Resource.
Variables
o body (acme.messages.ChallengeBody <#acme.messages
.ChallengeBody>)
o authzr_uri (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- URI found in the 'up' Link
header.
property uri: str <https://docs.python.org/3/library/stdtypes
.html#str>
The URL of the challenge body.
class acme.messages.Authorization(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Authorization Resource Body.
Variables
o identifier (acme.messages.Identifier <#acme.messages
.Identifier>)
o challenges (list <https://docs.python.org/3/library/
stdtypes.html#list>) -- list <https://docs.python.org/
3/library/stdtypes.html#list> of ChallengeBody
o status (acme.messages.Status <#acme.messages.Status>)
o expires (datetime.datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>)
class acme.messages.NewAuthorization(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
New authorization.
class acme.messages.UpdateAuthorization(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Update authorization.
class acme.messages.AuthorizationResource(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Authorization Resource.
Variables
o body (acme.messages.Authorization <#acme.messages
.Authorization>)
o new_cert_uri (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- Deprecated. Do not use.
class acme.messages.CertificateRequest(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
ACME newOrder request.
Variables
csr (x509.CertificateSigningRequest) --
x509.CertificateSigningRequest
class acme.messages.CertificateResource(**kwargs: Any <https://docs
.python.org/3/library/typing.html#typing.Any>)
Certificate Resource.
Variables
o body (x509.Certificate) -- x509.Certificate
o cert_chain_uri (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- URI found in the 'up' Link
header
o authzrs (tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>) -- tuple <https://docs.python
.org/3/library/stdtypes.html#tuple> of
AuthorizationResource.
class acme.messages.Revocation(**kwargs: Any <https://docs.python.org/
3/library/typing.html#typing.Any>)
Revocation message.
Variables
certificate (x509.Certificate) -- x509.Certificate
class acme.messages.Order(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
Order Resource Body.
Variables
o profile (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- The profile to request.
o identifiers (list <https://docs.python.org/3/library/
stdtypes.html#list> of Identifier) -- List of
identifiers for the certificate.
o status (acme.messages.Status <#acme.messages.Status>)
o authorizations (list <https://docs.python.org/3/
library/stdtypes.html#list> of str <https://docs.python
.org/3/library/stdtypes.html#str>) -- URLs of
authorizations.
o certificate (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- URL to download certificate as a
fullchain PEM.
o finalize (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- URL to POST to to request
issuance once all authorizations have "valid" status.
o expires (datetime.datetime <https://docs.python.org/3/
library/datetime.html#datetime.datetime>) -- When the
order expires.
o error (Error) -- Any error that occurred during
finalization, if applicable.
class acme.messages.OrderResource(**kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Order Resource.
Variables
o body (acme.messages.Order <#acme.messages.Order>)
o csr_pem (bytes <https://docs.python.org/3/library/
stdtypes.html#bytes>) -- The CSR this Order will be
finalized with.
o authorizations (list <https://docs.python.org/3/
library/stdtypes.html#list> of
acme.messages.AuthorizationResource) -- Fully-fetched
AuthorizationResource objects.
o fullchain_pem (str <https://docs.python.org/3/library/
stdtypes.html#str>) -- The fetched contents of the
certificate URL produced once the order was finalized,
if it's present.
o alternative_fullchains_pem (list <https://docs.python
.org/3/library/stdtypes.html#list> of str <https://docs
.python.org/3/library/stdtypes.html#str>) -- The
fetched contents of alternative certificate chain URLs
produced once the order was finalized, if present and
requested during finalization.
class acme.messages.NewOrder(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
New order.
class acme.messages.RenewalInfo(**kwargs: Any <https://docs.python.org/
3/library/typing.html#typing.Any>)
Renewal Info Resource Body. :ivar acme.messages.SuggestedWindow
window: The suggested renewal window.
class SuggestedWindow(**kwargs: Any <https://docs.python.org/3/
library/typing.html#typing.Any>)
Suggested Renewal Window, sub-resource of Renewal Info
Resource. :ivar datetime.datetime start: Beginning of
suggested renewal window :ivar datetime.datetime end: End
of suggested renewal window (inclusive)
Standalone
Support for standalone client challenge solvers.
class acme.standalone.ACMEServerMixin
ACME server common settings mixin.
class acme.standalone.BaseDualNetworkedServers(ServerClass: type
<https://docs.python.org/3/library/functions.html#type>[TCPServer
<https://docs.python.org/3/library/socketserver.html#socketserver
.TCPServer>], server_address: tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>[str <https://docs.python.org/3/library/stdtypes
.html#str>, int <https://docs.python.org/3/library/functions.html#
int>], *remaining_args: Any <https://docs.python.org/3/library/typing
.html#typing.Any>, **kwargs: Any <https://docs.python.org/3/library/
typing.html#typing.Any>)
Base class for a pair of IPv6 and IPv4 servers that tries to do
everything it's asked for both servers, but where failures in
one server don't affect the other.
If two servers are instantiated, they will serve on the same
port.
serve_forever() -> None <https://docs.python.org/3/library/
constants.html#None>
Wraps socketserver.TCPServer.serve_forever
getsocknames() -> list <https://docs.python.org/3/library/
stdtypes.html#list>[tuple <https://docs.python.org/3/library/
stdtypes.html#tuple>[str <https://docs.python.org/3/library/
stdtypes.html#str>, int <https://docs.python.org/3/library/
functions.html#int>]]
Wraps socketserver.TCPServer.socket.getsockname
shutdown_and_server_close() -> None <https://docs.python.org/3/
library/constants.html#None>
Wraps socketserver.TCPServer.shutdown,
socketserver.TCPServer.server_close, and
threading.Thread.join
class acme.standalone.HTTPServer(*args: Any <https://docs.python.org/3/
library/typing.html#typing.Any>, **kwargs: Any <https://docs.python
.org/3/library/typing.html#typing.Any>)
Generic HTTP Server.
class acme.standalone.HTTP01Server(server_address: tuple <https://docs
.python.org/3/library/stdtypes.html#tuple>[str <https://docs.python
.org/3/library/stdtypes.html#str>, int <https://docs.python.org/3/
library/functions.html#int>], resources: set <https://docs.python.org/
3/library/stdtypes.html#set>[HTTP01Resource <#acme.standalone
.HTTP01RequestHandler.HTTP01Resource>], ipv6: bool <https://docs.python
.org/3/library/functions.html#bool> = False, timeout: int <https://docs
.python.org/3/library/functions.html#int> = 30)
HTTP01 Server.
class acme.standalone.HTTP01DualNetworkedServers(*args: Any <https://
docs.python.org/3/library/typing.html#typing.Any>, **kwargs: Any
<https://docs.python.org/3/library/typing.html#typing.Any>)
HTTP01Server Wrapper. Tries everything for both. Failures for
one don't affect the other.
class acme.standalone.HTTP01RequestHandler(*args: Any <https://docs
.python.org/3/library/typing.html#typing.Any>, **kwargs: Any <https://
docs.python.org/3/library/typing.html#typing.Any>)
HTTP01 challenge handler.
Adheres to the stdlib's socketserver.BaseRequestHandler
<https://docs.python.org/3/library/socketserver.html#
socketserver.BaseRequestHandler> interface.
Variables
simple_http_resources (set <https://docs.python.org/3/
library/stdtypes.html#set>) -- A set of HTTP01Resource
objects. TODO: better name?
class HTTP01Resource(chall, response, validation)
chall Alias for field number 0
response
Alias for field number 1
validation
Alias for field number 2
property timeout: int <https://docs.python.org/3/library/
functions.html#int>
The default timeout this server should apply to requests.
:return: timeout to apply :rtype: int
log_message(format: str <https://docs.python.org/3/library/
stdtypes.html#str>, *args: Any <https://docs.python.org/3/
library/typing.html#typing.Any>) -> None <https://docs.python
.org/3/library/constants.html#None>
Log arbitrary message.
handle() -> None <https://docs.python.org/3/library/constants
.html#None>
Handle request.
handle_index() -> None <https://docs.python.org/3/library/
constants.html#None>
Handle index page.
handle_404() -> None <https://docs.python.org/3/library/
constants.html#None>
Handler 404 Not Found errors.
handle_simple_http_resource() -> None <https://docs.python.org/
3/library/constants.html#None>
Handle HTTP01 provisioned resources.
classmethod partial_init(simple_http_resources: set <https://
docs.python.org/3/library/stdtypes.html#set>[HTTP01Resource <#
acme.standalone.HTTP01RequestHandler.HTTP01Resource>], timeout:
int <https://docs.python.org/3/library/functions.html#int>) ->
partial[HTTP01RequestHandler <#acme.standalone
.HTTP01RequestHandler>]
Partially initialize this handler.
This is useful because socketserver.BaseServer <https://
docs.python.org/3/library/socketserver.html#socketserver
.BaseServer> takes uninitialized handler and initializes
it with the current request.
Util
ACME utilities.
acme.util.map_keys(dikt: Mapping <https://docs.python.org/3/library/
typing.html#typing.Mapping>[Any <https://docs.python.org/3/library/
typing.html#typing.Any>, Any <https://docs.python.org/3/library/typing
.html#typing.Any>], func: Callable <https://docs.python.org/3/library/
typing.html#typing.Callable>[[Any <https://docs.python.org/3/library/
typing.html#typing.Any>], Any <https://docs.python.org/3/library/typing
.html#typing.Any>]) -> dict <https://docs.python.org/3/library/stdtypes
.html#dict>[Any <https://docs.python.org/3/library/typing.html#typing
.Any>, Any <https://docs.python.org/3/library/typing.html#typing.Any>]
Map dictionary keys.
ACME protocol implementation.
This module is an implementation of the ACME protocol <https://
datatracker.ietf.org/doc/html/rfc8555>.
o Index <>
o Module Index <>
o Search Page <>
Author
Let's Encrypt Project
Copyright
2015, Let's Encrypt Project
0 December 3, 2025 acme-python(1)
py-acme 5.2.1 - Generated Wed Dec 3 16:41:32 CST 2025