Hi -

My team is adding ACME 2.0 client support to the Open Liberty application server and wanted to test against Dogtag PKI's ACME server. My intention is to containerize the ACME server and drive it through the same functional tests we run against other ACME CA servers (i.e. - Pebble and Boulder for instance) to verify compatibility.

The first error I hit was an issue with using JSS 4.7 and I understand that will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .

2020-05-04 22:15:53 [http-nio-8080-exec-5] SEVERE: Unable to validate HTTP-01 challenge: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized

java.lang.RuntimeException: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized

at org.mozilla.jss.provider.javax.net.JSSContextSpi.engineGetSocketFactory(JSSContextSpi.java:118)

at javax.net.ssl.SSLContext.getSocketFactory(SSLContext.java:294)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<init>(SSLConnectionSocketFactory.java:292)

at org.apache.http.impl.client.HttpClientBuilder.build(HttpClientBuilder.java:978)

at org.apache.http.impl.client.HttpClients.createDefault(HttpClients.java:56)

at org.dogtagpki.acme.validator.HTTP01Validator.getResponse(HTTP01Validator.java:112)

at org.dogtagpki.acme.validator.HTTP01Validator.validateChallenge(HTTP01Validator.java:63)

at org.dogtagpki.acme.server.ACMEChallengeService.handlePOST(ACMEChallengeService.java:99)

...

To move past this error, I was advised to move down to JSS 4.6.2. Upon doing so, I made it past the initial error but now hit the following error:

2020-05-05 18:36:08 [http-nio-8080-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/acme] threw exception

org.jboss.resteasy.spi.UnhandledException: org.apache.commons.lang.NotImplementedException: Code is not implemented

at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)

at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)

...

Caused by: org.apache.commons.lang.NotImplementedException: Code is not implemented

at org.dogtagpki.acme.issuer.ACMEIssuer.generateCertificate(ACMEIssuer.java:61)

at org.dogtagpki.acme.issuer.ACMEIssuer.issueCertificate(ACMEIssuer.java:73)

at org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST(ACMEFinalizeOrderService.java:79)

...

I can see in the ACME server's trace that it does indeed authorize my ownership of the domain and then try to issue the certificate. Examining the AcmeIssuer class shows that this class has several methods that are not implemented.

https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61

Is this expected or is it possible I have a misconfiguration? I assume I am testing too early and need to wait until the implementation is further along, but I wanted to test early enough that if there were issues I could detect them earlier rather than later.

If it matters, I am testing the with the image from @pki/master on a Fedora 30 docker container.

Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/

507-513-6234 jlvanhil@us.ibm.com