feat(readme): document built-in ACME directory server and CA capabilities
This commit is contained in:
@@ -43,10 +43,34 @@ Key implementation details:
|
||||
- `TaskManager.start()` is called in `SmartAcme.start()` and `TaskManager.stop()` in `SmartAcme.stop()`.
|
||||
- The "no cronjobs specified" log messages during tests come from taskbuffer's internal CronManager polling — harmless noise when no cron tasks are scheduled.
|
||||
|
||||
## ACME Directory Server (ts_server/)
|
||||
|
||||
As of v9.2.0, a built-in ACME Directory Server lives under `ts_server/`. This is a full RFC 8555-compliant CA server that allows running your own Certificate Authority.
|
||||
|
||||
Key files:
|
||||
- `ts_server/server.classes.acmeserver.ts` — Top-level `AcmeServer` facade (start/stop/config)
|
||||
- `ts_server/server.classes.ca.ts` — Self-signed root CA generation + certificate signing via `@peculiar/x509`
|
||||
- `ts_server/server.classes.jws.verifier.ts` — JWS signature verification (inverse of `AcmeCrypto.createJws`)
|
||||
- `ts_server/server.classes.router.ts` — Minimal HTTP router with `:param` support using raw `node:http`
|
||||
- `ts_server/server.classes.nonce.ts` — Single-use replay nonce management
|
||||
- `ts_server/server.classes.challenge.verifier.ts` — HTTP-01/DNS-01 verification (with bypass mode)
|
||||
- `ts_server/server.classes.account.store.ts` — In-memory account storage
|
||||
- `ts_server/server.classes.order.store.ts` — In-memory order/authz/challenge/cert storage
|
||||
- `ts_server/server.handlers.*.ts` — Route handlers for each ACME endpoint
|
||||
|
||||
Design decisions:
|
||||
- Uses raw `node:http` (no framework dependency — `@api.global/typedserver` was explicitly removed in v8.1.0)
|
||||
- Zero new dependencies: uses `node:crypto`, `@peculiar/x509`, and existing project deps
|
||||
- Reuses `AcmeCrypto` for JWK thumbprint/base64url, ACME interfaces for response types, `AcmeError` patterns
|
||||
- `AcmeCrypto.getAlg()` was made public (was private) for use by the JWS verifier
|
||||
- Storage interfaces (`IServerAccountStore`, `IServerOrderStore`) are pluggable, with in-memory defaults
|
||||
- `challengeVerification: false` option auto-approves challenges for testing
|
||||
- `tsbuild tsfolders` automatically compiles `ts_server/` to `dist_ts_server/`
|
||||
|
||||
## Dependency Notes
|
||||
|
||||
- `acme-client` was replaced with custom implementation in `ts/acme/` + `@peculiar/x509` for CSR generation
|
||||
- `@push.rocks/smartfile`, `@api.global/typedserver`, `@push.rocks/smartrequest`, `@push.rocks/smartpromise` were removed as unused dependencies in v8.1.0
|
||||
- The `@apiclient.xyz/cloudflare` `convenience` namespace is deprecated but still functional. The `Dns01Handler` accepts an `IConvenientDnsProvider` interface which remains stable.
|
||||
- Test imports use `@git.zone/tstest/tapbundle` (not `@push.rocks/tapbundle`)
|
||||
- Build uses `tsbuild` (no flags needed, v4+)
|
||||
- Build uses `tsbuild tsfolders` (v4.3.0+) — auto-discovers and compiles `ts/` and `ts_server/` directories
|
||||
|
||||
Reference in New Issue
Block a user