Add asynch request support

[acme] / Acme.pm
diff --git a/Acme.pm b/Acme.pm

index e4637d790ee19b87ed1f1c9748852d4d3d782cd0..9388e5dd64abaf3257e3eb056474ee7e7a46f5ff 100644 (file)
--- a/Acme.pm
+++ b/Acme.pm
@@ -22,16 +22,17 @@ package Acme;
  use strict;
  use warnings;
  
  use strict;
  use warnings;
  
-# Fix use of acl
+# Add acl support to file tests
  use filetest qw(access);
  
  # Symbol export
  use Exporter;
  our @ISA = qw(Exporter);
  use filetest qw(access);
  
  # Symbol export
  use Exporter;
  our @ISA = qw(Exporter);
-our @EXPORT_OK = qw(VERSION);
+our @EXPORT_OK = qw(ACCOUNT CONFIG MAIL PENDING TERM THUMBPRINT VERSION);
  
  # Load dependancies
  use Carp qw(carp confess);
  
  # Load dependancies
  use Carp qw(carp confess);
+use Data::Validate::IP qw(is_public_ip is_public_ipv6);
  use Date::Parse qw(str2time);
  use DateTime;
  use Digest::SHA qw(sha256_base64);
  use Date::Parse qw(str2time);
  use DateTime;
  use Digest::SHA qw(sha256_base64);
@@ -39,42 +40,75 @@ use Email::Valid;
  use File::Copy qw(copy);
  use File::Path qw(make_path);
  use File::Slurp qw(read_file write_file);
  use File::Copy qw(copy);
  use File::Path qw(make_path);
  use File::Slurp qw(read_file write_file);
+use File::Spec qw(splitpath);
  use File::stat qw(stat);
  use File::Temp; # qw( :seekable );
  use IPC::System::Simple qw(capturex);
  use JSON qw(from_json to_json);
  use LWP;
  use MIME::Base64 qw(encode_base64url encode_base64);
  use File::stat qw(stat);
  use File::Temp; # qw( :seekable );
  use IPC::System::Simple qw(capturex);
  use JSON qw(from_json to_json);
  use LWP;
  use MIME::Base64 qw(encode_base64url encode_base64);
-use Net::Domain::TLD;
+use Net::DNS qw();
+use Net::Domain::TLD qw(tld_exists);
  use POSIX qw(EXIT_FAILURE);
  use Tie::IxHash;
  
  use POSIX qw(EXIT_FAILURE);
  use Tie::IxHash;
  
-# Debug
-use Data::Dumper;
+# Load debug
+#use Data::Dumper;
  
  # Documentation links
  #XXX: see https://letsencrypt.github.io/acme-spec/ (probably based on https://ietf-wg-acme.github.io/acme/)
  #XXX: see jwk rfc http://www.rfc-editor.org/rfc/rfc7517.txt
  #XXX: see javascript implementation https://github.com/diafygi/gethttpsforfree/blob/gh-pages/js/index.js
  
  # Documentation links
  #XXX: see https://letsencrypt.github.io/acme-spec/ (probably based on https://ietf-wg-acme.github.io/acme/)
  #XXX: see jwk rfc http://www.rfc-editor.org/rfc/rfc7517.txt
  #XXX: see javascript implementation https://github.com/diafygi/gethttpsforfree/blob/gh-pages/js/index.js
+#XXX: see https://www.rfc-editor.org/rfc/rfc8555.html
+
+# Todo list
+#TODO: try to drop retry code in _post, asynch answer may obsolete it
+#TODO: cleanup challenge verification code ?
+#TODO: verify that shortlived certificates get renewed in time
+#TODO: try to drop mail address from newAccount, unused by letsencrypt now ?
  
  # Set constants
  use constant {
  
  # Set constants
  use constant {
-       # Request certificate file name
-       REQUEST_CSR => 'request.der',
-
-       # rsa
+       # Config infos
+       ACCOUNT => '/etc/acme/account.pem',
+       CONFIG => '/etc/acme/config',
+       PENDING => '/tmp/acme',
+       THUMBPRINT => '/etc/acme/thumbprint',
+       TERM => 'https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf',
+       MAIL => 'webmaster',
+
+       # Certificate info
+       CSR_SUFFIX => '.der',
+
+       # Redhat infos
+       RH_CERTS => '/etc/pki/tls/certs',
+       RH_PRIVATE => '/etc/pki/tls/private',
+       RH_SUFFIX => '.pem',
+
+       # Debian infos
+       DEB_CERTS => '/etc/ssl/certs',
+       DEB_PRIVATE => '/etc/ssl/private',
+       DEB_CERTS_SUFFIX => '.crt',
+       DEB_PRIVATE_SUFFIX => '.key',
+
+       # Dns infos
+       DNS_PREFIX => '_acme-challenge.',
+       DNS_SUFFIX => '.',
+
+       # Key infos
         KEY_TYPE => 'rsa',
         KEY_TYPE => 'rsa',
-
-       # 2048|4096
         KEY_SIZE => 4096,
  
         # Acme infos
         KEY_SIZE => 4096,
  
         # Acme infos
-       ACME_CERT => 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem',
-       ACME_DIR => 'https://acme-staging.api.letsencrypt.org/directory',
-       ACME_PROD_DIR => 'https://acme-v01.api.letsencrypt.org/directory',
+       #ACME_CERT => 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem',
+       ACME_DIR => 'https://acme-staging-v02.api.letsencrypt.org/directory',
+       ACME_PROD_DIR => 'https://acme-v02.api.letsencrypt.org/directory',
  
         # Version
  
         # Version
-       VERSION => 'v0.9',
+       VERSION => '2.0.4',
+
+       # Timeout
+       TIMEOUT => 300
  };
  
  # User agent object
  };
  
  # User agent object
@@ -83,6 +117,9 @@ our $ua;
  # Strerr backup
  our $_stderr;
  
  # Strerr backup
  our $_stderr;
  
+# Retry count
+our $retry;
+
  # JSON Web Key (JWK)
  #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
  #our %jwk = (
  # JSON Web Key (JWK)
  #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
  #our %jwk = (
@@ -108,7 +145,7 @@ tie(%{$jwk{jwk}{jwk}}, 'Tie::IxHash', e => undef, kty => uc(KEY_TYPE), n => unde
  # Constructor
  sub new {
         # Extract params
  # Constructor
  sub new {
         # Extract params
-       my ($class, $debug, $domain, $config) = @_;
+       my ($class, $verbose, $domain, $config) = @_;
  
         # Create self hash
         my $self = {};
  
         # Create self hash
         my $self = {};
@@ -116,8 +153,11 @@ sub new {
         # Link self to package
         bless($self, $class);
  
         # Link self to package
         bless($self, $class);
  
-       # Save debug
-       $self->{debug} = $debug;
+       # Save retry
+       $self->{retry} = 0;
+
+       # Save verbose
+       $self->{verbose} = $verbose;
  
         # Save domain
         $self->{domain} = $domain;
  
         # Save domain
         $self->{domain} = $domain;
@@ -126,48 +166,69 @@ sub new {
         $self->{config} = $config;
  
         # Save domains
         $self->{config} = $config;
  
         # Save domains
-       @{$self->{domains}} = ($domain->{domain}, @{$domain->{domains}});
-
-       # Add extra check to mail validity
-       #XXX: mxcheck fail if there is only a A record on the domain
-       my $ev = Email::Valid->new(-fqdn => 1, -tldcheck => 1, -mxcheck => 1);
+       my @domains = ($domain->{domain}, @{$domain->{domains}});
  
         # Show error if check fail
  
         # Show error if check fail
-       if (! defined $ev->address($self->{domain}{mail})) {
-               map { carp 'failed check: '.$_ if ($self->{debug}) } $ev->details();
-               confess 'Email::Valid->address failed';
+       unless (defined $self->{domain}{mail}) {
+               confess('Missing mail');
         }
  
         }
  
-       # Save mail
-       $self->{mail} = $self->{domain}{mail};
+       # Transform mail in an array
+       unless (ref($self->{domain}{mail}) eq 'ARRAY') {
+               $self->{domain}{mail} = [ $self->{domain}{mail} ];
+       }
+
+       # Add extra check to mail validity
+       #XXX: mxcheck fail if there is only a A record on the domain
+       my $ev = Email::Valid->new(-fqdn => 1, -tldcheck => 1, -mxcheck => 1);
  
  
-       # Create resolver
-       my $res = new Net::DNS::Resolver();
+       # Loop on each mail
+       map {
+               # Checke address
+               if (! defined $ev->address($_)) {
+                       map { carp 'failed check: '.$_ if ($self->{verbose}) } $ev->details();
+                       confess('Validate '.$_.' mail address failed');
+               }
+       } @{$self->{domain}{mail}};
  
         # Check domains
         map {
                 my $tld;
  
  
         # Check domains
         map {
                 my $tld;
  
-               # Extract tld
-               unless (($tld) = $_ =~ m/\.(\w+)$/) {
-                       confess $_.'\'s tld extraction failed';
-               }
+               # With non-numeric tld
+               if (!is_public_ip($_)) {
+                       # Extract tld
+                       unless (($tld) = $_ =~ m/\.(\w+)$/) {
+                               confess('Extract '.$_.' tld failed');
+                       }
  
  
-               # Check if tld exists
-               unless(Net::Domain::TLD::tld_exists($tld)) {
-                       confess $tld.' tld from '.$_.' don\'t exists';
-               }
+                       # Check if tld exists
+                       unless(Net::Domain::TLD::tld_exists($tld)) {
+                               confess('Extracted '.$_.' tld '.$tld.' do not exists');
+                       }
  
  
-               # Check if we get dns answer
-               #XXX: only search A type because letsencrypt don't support ipv6 (AAAA) yet
-               unless(my $rep = $res->search($_, 'A')) {
-                       confess 'search A record for '.$_.' failed';
-               } else {
-                       unless (scalar map { $_->type eq 'A' ? 1 : (); } $rep->answer) {
-                               confess 'search recursively A record for '.$_.' failed';
+                       # Search a record
+                       my $a = Net::DNS::Resolver->new->search($_, 'A', 'IN');
+
+                       # Search aaaa record
+                       my $aaaa = Net::DNS::Resolver->new->search($_, 'AAAA', 'IN');
+
+                       # Trigger error for unresolvable domain
+                       unless (
+                               # Check if either has a A or AAAA record
+                               scalar map {
+                                       ($_->type eq 'A' or $_->type eq 'AAAA') ? 1 : ();
+                               }
+                               # Merge both answer
+                               (
+                                       (defined $a and defined $a->answer) ? $a->answer : (),
+                                       (defined $aaaa and defined $aaaa->answer) ? $aaaa->answer : ()
+                               )
+                       ) {
+                               confess('Resolve '.$_.' to an A or AAAA record failed');
                         }
                 }
                         }
                 }
-       } @{$self->{domains}};
+       } @domains;
  
         # Return class reference
         return $self;
  
         # Return class reference
         return $self;
@@ -188,13 +249,13 @@ sub prepare {
  
         # Create all paths
         {
  
         # Create all paths
         {
-               make_path($certDir, $keyDir, $accountDir, $self->{config}{pending}.'/'.$self->{mail}.'.'.($self->{domain}{prod} ? 'prod' : 'staging'), {error => \my $err});
+               make_path($certDir, $keyDir, $accountDir, $self->{config}{pending}, {error => \my $err});
                 if (@$err) {
                         map {
                 if (@$err) {
                         map {
-                               my ($file, $msg) = %$_;
-                               carp ($file eq '' ? '' : $file.': ').$msg if ($self->{debug});
+                               my ($file, $msg) = %{$_};
+                               carp 'Mkdir '.($file ? $file.' ' : '').'failed: '.$msg if ($self->{verbose});
                         } @$err;
                         } @$err;
-                       confess 'make_path failed';
+                       confess('Make path failed');
                 }
         }
  
                 }
         }
  
@@ -207,12 +268,12 @@ sub prepare {
                 confess('Directory '.$certDir.' or file '.$self->{domain}{cert}.' must be writable: '.$!);
         }
  
                 confess('Directory '.$certDir.' or file '.$self->{domain}{cert}.' must be writable: '.$!);
         }
  
-       # Check that key is writable
+       # Check that key is readable or parent directory is writable
         unless (-r $self->{domain}{key} || -w $keyDir) {
                 confess('File '.$self->{domain}{key}.' must be readable or directory '.$keyDir.' must be writable: '.$!);
         }
  
         unless (-r $self->{domain}{key} || -w $keyDir) {
                 confess('File '.$self->{domain}{key}.' must be readable or directory '.$keyDir.' must be writable: '.$!);
         }
  
-       # Check that account is writable
+       # Check that account key is readable or parent directory is writable
         unless (-r $self->{domain}{account} || -w $accountDir) {
                 confess('File '.$self->{domain}{account}.' must be readable or directory '.$accountDir.' must be writable: '.$!);
         }
         unless (-r $self->{domain}{account} || -w $accountDir) {
                 confess('File '.$self->{domain}{account}.' must be readable or directory '.$accountDir.' must be writable: '.$!);
         }
@@ -268,7 +329,7 @@ sub genKeys {
         } ($self->{domain}{account}, $self->{domain}{key});
  
         # Extract modulus and publicExponent jwk
         } ($self->{domain}{account}, $self->{domain}{key});
  
         # Extract modulus and publicExponent jwk
-       #XXX: same here we tie to keep ordering
+       #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
         tie(%{$self->{account}}, 'Tie::IxHash', %jwk);
         map {
                 if (/^Modulus=([0-9A-F]+)$/) {
         tie(%{$self->{account}}, 'Tie::IxHash', %jwk);
         map {
                 if (/^Modulus=([0-9A-F]+)$/) {
@@ -292,70 +353,92 @@ sub genKeys {
         $self->{account}{thumbprint} = (sha256_base64(to_json($self->{account}{jwk}{jwk})) =~ s/=+\z//r) =~ tr[+/][-_]r;
  }
  
         $self->{account}{thumbprint} = (sha256_base64(to_json($self->{account}{jwk}{jwk})) =~ s/=+\z//r) =~ tr[+/][-_]r;
  }
  
-# Generate certificate request
-sub genCsr {
+# Directory call
+sub directory {
         my ($self) = @_;
  
         my ($self) = @_;
  
-       # Openssl config template
-       my $oct = File::Temp->new();
+       # Set time
+       my $time = time;
  
  
-       # Save data start position
-       my $pos = tell DATA;
+       # Set directory
+       my $dir = $self->{domain}{prod} ? ACME_PROD_DIR : ACME_DIR;
  
  
-       # Load template from data
-       map { s/__EMAIL_ADDRESS__/$self->{mail}/; s/__COMMON_NAME__/$self->{domains}[0]/; print $oct $_; } <DATA>;
+       # Create a request
+       my $req = HTTP::Request->new(GET => $dir.'?'.$time);
+
+       # Get request
+       my $res = $ua->request($req);
  
  
-       # Reseek data
-       seek(DATA, $pos, 0);
+       # Handle error
+       unless ($res->is_success) {
+               confess('GET '.$dir.'?'.$time.' failed: '.$res->status_line);
+       }
  
  
-       # Append domain names
-       my $i = 1;
-       map { print $oct 'DNS.'.$i++.' = '.$_."\n"; } @{$self->{domains}};
+       # Init content
+       my %content;
  
  
-       # Generate csr
-       capturex('openssl', ('req', '-new', '-outform', 'DER', '-key', $self->{domain}{key}, '-config', $oct->filename, '-out', $self->{config}{pending}.'/'.$self->{mail}.'.'.($self->{domain}{prod} ? 'prod' : 'staging').'/'.REQUEST_CSR));
+       # Extract content
+       unless (%content = %{from_json($res->content)}) {
+               confess('GET '.$dir.'?'.$time.' from_json failed: '.$res->status_line);
+       }
  
  
-       # Close oct
-       close($oct);
+       # Merge uris in self content
+       $self->{req}{dir} = $dir;
+       $self->{req}{keyChange} = $content{keyChange};
+       $self->{req}{newNonce} = $content{newNonce};
+       $self->{req}{newAccount} = $content{newAccount};
+       $self->{req}{revokeCert} = $content{revokeCert};
+       $self->{req}{newOrder} = $content{newOrder};
+
+       # Check term
+       unless ($self->{config}{term} eq $content{meta}{termsOfService}) {
+               confess('GET '.$dir.'?'.$time.' term: '.$content{meta}{termsOfService}.' differ from config: '.$self->{config}{term});
+       }
  }
  
  }
  
-# Directory call
-sub directory {
+# Nonce call
+sub nonce {
         my ($self) = @_;
  
         # Set time
         my $time = time;
  
         my ($self) = @_;
  
         # Set time
         my $time = time;
  
-       # Set directory
-       my $dir = $self->{prod} ? ACME_PROD_DIR : ACME_DIR;
-
         # Create a request
         # Create a request
-       my $req = HTTP::Request->new(GET => $dir.'?'.$time);
+       my $req = HTTP::Request->new(HEAD => $self->{req}{newNonce}.'?'.$time);
  
         # Get request
         my $res = $ua->request($req);
  
         # Handle error
         unless ($res->is_success) {
  
         # Get request
         my $res = $ua->request($req);
  
         # Handle error
         unless ($res->is_success) {
-               confess 'GET '.$dir.'?'.$time.' failed: '.$res->status_line;
+               confess('HEAD '.$self->{req}{newNonce}.'?'.$time.' failed: '.$res->status_line);
         }
  
         # Save nonce
         }
  
         # Save nonce
-       $self->{nonce} = $res->headers->{'replay-nonce'};
-
-       # Merge uris in self content
-       %$self = (%$self, %{from_json($res->content)});
+       $self->{req}{nonce} = $res->headers->{'replay-nonce'};
  }
  
  # Post request
  sub _post {
         my ($self, $uri, $payload) = @_;
  
  }
  
  # Post request
  sub _post {
         my ($self, $uri, $payload) = @_;
  
-       # Protected field
-       my $protected = encode_base64url(to_json({nonce => $self->{nonce}}));
+       # Init protected
+       #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
+       #XXX: strict ordering only really needed here for thumbprint sha256 digest
+       tie(my %protected, 'Tie::IxHash', alg => $self->{account}{jwk}{alg}, jwk => $self->{account}{jwk}{jwk}, nonce => $self->{req}{nonce}, url => $uri);
  
  
-       # Payload field
-       $payload = encode_base64url(to_json($payload));
+       # We have a kid
+       if (defined($self->{req}{kid})) {
+               # Replace jwk entry with it
+               #XXX: when kid is available all request with jwk are rejected by the api
+               %protected = (alg => $self->{account}{jwk}{alg}, kid => $self->{req}{kid}, nonce => $self->{req}{nonce}, url => $uri);
+       }
+
+       # Encode protected
+       my $protected = encode_base64url(to_json(\%protected));
+
+       # Encode payload
+       $payload = encode_base64url(to_json($payload)) unless ($payload eq '');
  
         # Sign temp file
         my $stf = File::Temp->new();
  
         # Sign temp file
         my $stf = File::Temp->new();
@@ -371,10 +454,12 @@ sub _post {
  
         # Create a request
         my $req = HTTP::Request->new(POST => $uri);
  
         # Create a request
         my $req = HTTP::Request->new(POST => $uri);
-       
+
+       # Set request header
+       $req->header('Content-Type' => 'application/jose+json');
+
         # Set new-reg request content
         $req->content(to_json({
         # Set new-reg request content
         $req->content(to_json({
-               header => $self->{account}{jwk},
                 protected => $protected,
                 payload => $payload,
                 signature => $signature
                 protected => $protected,
                 payload => $payload,
                 signature => $signature
@@ -385,9 +470,29 @@ sub _post {
  
         # Save nonce
         if (defined $res->headers->{'replay-nonce'}) {
  
         # Save nonce
         if (defined $res->headers->{'replay-nonce'}) {
-               $self->{nonce} = $res->headers->{'replay-nonce'};
+               $self->{req}{nonce} = $res->headers->{'replay-nonce'};
+       }
+
+       # Handle error
+       #TODO: see if we may drop retry section with asynch answer which should fix the problem ?
+       #TODO: https://community.letsencrypt.org/t/shortlived-certificate-stuck-as-processing/241006/9
+       unless ($res->is_success and $self->{retry} <= 3) {
+               # Display error
+               confess('POST '.$uri.' failed: '.$res->status_line.':'.$res->content) if ($self->{verbose});
+
+               # Increment retry
+               $self->{retry}++;
+
+               # Sleep
+               sleep(1);
+
+               # Next try
+               $res = $self->_post($uri, $payload);
         }
  
         }
  
+       # Reset retry
+       $self->{retry} = 0;
+
         # Return res object
         return $res;
  }
         # Return res object
         return $res;
  }
@@ -400,23 +505,31 @@ sub _dnsCheck {
         # Generate signature from content
         my $signature = ((sha256_base64($token.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r;
  
         # Generate signature from content
         my $signature = ((sha256_base64($token.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r;
  
-       # Fix domain
-       $domain = '_acme-challenge.'.$domain.'.';
-
-       # Create resolver
-       my $res = new Net::DNS::Resolver();
+       # Search txt record
+       my $txt = Net::DNS::Resolver->new->search(DNS_PREFIX.$domain.DNS_SUFFIX, 'TXT', 'IN');
  
  
-       # Check if we get dns answer
-       unless(my $rep = $res->search($domain, 'TXT')) {
-               carp 'TXT record search for '.$domain.' failed' if ($self->{debug});
+       # Check that we have a txt record
+       unless (defined $txt and defined $txt->answer and scalar map { $_->type eq 'TXT' ? 1 : (); } $txt->answer) {
+               carp 'Resolve '.DNS_PREFIX.$domain.DNS_SUFFIX.' to a TXT record failed' if ($self->{verbose});
                 return;
                 return;
-       } else {
-               unless (scalar map { $_->type eq 'TXT' && $_->txtdata =~ /^$signature$/ ? 1 : (); } $rep->answer) {
-                       carp 'TXT record recursive search for '.$domain.' failed' if ($self->{debug});
-                       return;
+       }
+
+       # Check that txt record data match signature
+       unless (scalar map { ($_->type eq 'TXT' and $_->txtdata eq $signature) ? 1 : (); } $txt->answer) {
+               # Check verbose
+               if ($self->{verbose}) {
+                       # Loop on each answer
+                       map {
+                               # Check if we have a TXT record with different value
+                               if ($_->type eq 'TXT' and $_->txtdata ne $signature) {
+                                       carp 'Resolved '.DNS_PREFIX.$domain.DNS_SUFFIX.' with "'.$_->txtdata.'" instead of "'.$signature.'"';
+                               }
+                       } $txt->answer;
                 }
                 }
+               return;
         }
  
         }
  
+       # Return success
         return 1;
  }
  
         return 1;
  }
  
@@ -424,8 +537,11 @@ sub _dnsCheck {
  sub _httpCheck {
         my ($self, $domain, $token) = @_;
  
  sub _httpCheck {
         my ($self, $domain, $token) = @_;
  
+       # Set uri
+       my $uri = 'http://'.(is_public_ipv6($domain)?'['.$domain.']':$domain).'/.well-known/acme-challenge/'.$token;
+
         # Create a request
         # Create a request
-       my $req = HTTP::Request->new(GET => 'http://'.$domain.'/.well-known/acme-challenge/'.$token);
+       my $req = HTTP::Request->new(GET => $uri);
  
         # Check if thumbprint is writeable
         if (-w $self->{config}{thumbprint}) {
  
         # Check if thumbprint is writeable
         if (-w $self->{config}{thumbprint}) {
@@ -438,13 +554,13 @@ sub _httpCheck {
  
         # Handle error
         unless ($res->is_success) {
  
         # Handle error
         unless ($res->is_success) {
-               carp 'GET http://'.$domain.'/.well-known/acme-challenge/'.$token.' failed: '.$res->status_line if ($self->{debug});
+               carp 'Fetch '.$uri.' failed: '.$res->status_line if ($self->{verbose});
                 return;
         }
  
         # Handle invalid content
         unless($res->content =~ /^$token.$self->{account}{thumbprint}\s*$/) {
                 return;
         }
  
         # Handle invalid content
         unless($res->content =~ /^$token.$self->{account}{thumbprint}\s*$/) {
-               carp 'GET http://'.$domain.'/.well-known/acme-challenge/'.$token.' content match failed: /^'.$token.'.'.$self->{account}{thumbprint}.'\s*$/ !~ '.$res->content if ($self->{debug});
+               carp 'Fetched '.$uri.' with "'.$res->content.'" instead of "'.$token.'.'.$self->{account}{thumbprint}.'"' if ($self->{verbose});
                 return;
         }
  
                 return;
         }
  
@@ -454,51 +570,192 @@ sub _httpCheck {
  
  # Register account
  #XXX: see doc at https://ietf-wg-acme.github.io/acme/#rfc.section.6.3
  
  # Register account
  #XXX: see doc at https://ietf-wg-acme.github.io/acme/#rfc.section.6.3
-sub register {
+sub account {
         my ($self) = @_;
  
         my ($self) = @_;
  
-       # Post new-reg request
-       #XXX: contact array may contain a tel:+33612345678 for example
-       my $res = $self->_post($self->{'new-reg'}, {resource => 'new-reg', contact => ['mailto:'.$self->{mail}], agreement => $self->{term}});
+       # Init pending directory
+       $self->{req}{pending} = $self->{config}{pending}.'/'.encode_base64url($self->{req}{dir}).'/'.encode_base64url(join(',', @{$self->{domain}{mail}}));
  
  
-       # Handle error
-       unless ($res->is_success || $res->code eq 409) {
-               confess 'POST '.$self->{'new-reg'}.' failed: '.$res->status_line;
+       # Create pending directory
+       {
+               make_path($self->{req}{pending}, {error => \my $err});
+               if (@$err) {
+                       map {
+                               my ($file, $msg) = %{$_};
+                               carp 'Mkdir '.($file ? $file.' ' : '').'failed: '.$msg if ($self->{verbose});
+                       } @$err;
+                       confess('Make path failed');
+               }
         }
  
         }
  
-       # Update mail informations
-       if ($res->code eq 409) {
-               # Save registration uri
-               $self->{'reg'} = $res->headers->{location};
+       # Init file
+       #XXX: we use this file to store the fetched account
+       my $file = $self->{req}{pending}.'/'.(((sha256_base64(join(',', @{$self->{domain}{mail}}))) =~ s/=+\z//r) =~ tr[+/][-_]r);
+
+       # Init content
+       my $content = undef;
+
+       # Load account content or post a new one
+       if (
+               #XXX: use eval to workaround a fatal in from_json
+               ! defined eval {
+                       # Check that file exists
+                       -f $file &&
+                       # Read it
+                       ($content = read_file($file)) &&
+                       # Decode it
+                       ($content = from_json($content))
+               }
+       ) {
+               # Init tied payload
+               #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
+               tie(my %payload, 'Tie::IxHash', termsOfServiceAgreed => JSON::true, contact => []);
+
+               # Loop on mails
+               map {
+                       # Append mail to payload
+                       $payload{contact}[scalar @{$payload{contact}}] = 'mailto:'.$_;
+               } @{$self->{domain}{mail}};
  
  
-               # Post reg request
-               #XXX: contact array may contain a tel:+33612345678 for example
-               $res = $self->_post($self->{'reg'}, {resource => 'reg', contact => ['mailto:'.$self->{mail}]});
+               # Post newAccount request
+               # TODO: change contact field in config to contain directly the array [mailto:example@example.com,...] ???
+               #XXX: contact array may contain a tel:+33612345678 for example (supported ???)
+               my $res = $self->_post($self->{req}{'newAccount'}, \%payload);
  
                 # Handle error
                 unless ($res->is_success) {
  
                 # Handle error
                 unless ($res->is_success) {
-                       confess 'POST '.$self->{'reg'}.' failed: '.$res->status_line;
+                       confess('POST '.$self->{req}{'newAccount'}.' failed: '.$res->status_line)
                 }
                 }
+
+               # Store kid from header location
+               $content = {
+                       'kid' => $res->headers->{location},
+               };
+
+               # Write to file
+               write_file($file, to_json($content));
         }
         }
+
+       # Set kid from content
+       $self->{req}{kid} = $content->{kid};
+
  }
  
  # Authorize domains
  }
  
  # Authorize domains
-sub authorize {
+sub order {
         my ($self) = @_;
  
         my ($self) = @_;
  
+       # Init file
+       #XXX: we use this file to store the requested domains on our side
+       #XXX: see bug https://github.com/letsencrypt/boulder/issues/3335 and https://community.letsencrypt.org/t/acmev2-orders-list/51662
+       my $file = $self->{req}{pending}.'/'.(((sha256_base64(join(',', ($self->{domain}{domain}, @{$self->{domain}{domains}})))) =~ s/=+\z//r) =~ tr[+/][-_]r);
+
+       # Init content
+       my $content = undef;
+
+       # Load account content or post a new one
+       if (
+               #XXX: use eval to workaround a fatal in from_json
+               ! defined eval {
+                       # Check that file exists
+                       -f $file &&
+                       # Read it
+                       ($content = read_file($file)) &&
+                       # Decode it
+                       ($content = from_json($content))
+               # Check expiration
+               } || (str2time($content->{expires}) <= time()+3600)
+       ) {
+               # Init tied payload
+               #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
+               #XXX: https://www.perlmonks.org/?node_id=1215976
+               #XXX: optional notBefore, notAfter, see https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#applying-for-certificate-issuance
+               tie(my %payload, 'Tie::IxHash', 'profile' => 'classic', identifiers => []);
+
+               # Loop on domains
+               map {
+                       # With public ip
+                       if (is_public_ip($_)) {
+                               # Set shortlived profile
+                               $payload{profile} = 'shortlived';
+
+                               # Tie in a stable hash and append to identifiers array
+                               #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
+                               tie(%{$payload{identifiers}[scalar @{$payload{identifiers}}]}, 'Tie::IxHash', type => 'ip', value => $_);
+                       # With fqdn
+                       } else {
+                               # Tie in a stable hash and append to identifiers array
+                               #XXX: tie to Tie::IxHash to keep a stable ordering of hash keys
+                               tie(%{$payload{identifiers}[scalar @{$payload{identifiers}}]}, 'Tie::IxHash', type => 'dns', value => $_);
+                       }
+               } ($self->{domain}{domain}, @{$self->{domain}{domains}});
+
+               # Post new order request
+               my $res = $self->_post($self->{req}{'newOrder'}, \%payload);
+
+               # Handle error
+               unless ($res->is_success) {
+                       confess('POST '.$self->{req}{'newOrder'}.' failed: '.$res->status_line);
+               }
+
+               # Handle error
+               unless ($res->content) {
+                       confess('POST '.$self->{req}{'newOrder'}.' empty content: '.$res->status_line);
+               }
+
+               # Handle error
+               unless ($res->headers->{location}) {
+                       confess('POST '.$self->{req}{'newOrder'}.' missing location: '.$res->status_line);
+               }
+
+               # Extract content
+               $content = from_json($res->content);
+
+               # Check status
+               unless ($content->{status} eq 'ready' or $content->{status} eq 'pending') {
+                       confess('POST '.$self->{req}{'newOrder'}.' invalid status: '.$content->{status}.': '.$res->status_line);
+               }
+
+               # Store location
+               # XXX: used with async response
+               $content->{location} = $res->headers->{location};
+
+               # Store retry after
+               $content->{retryafter} = (defined $res->headers->{'retry-after'} and $res->headers->{'retry-after'}) ? $res->headers->{'retry-after'} : 1;
+
+               # Write to file
+               write_file($file, to_json($content));
+       }
+
+       # Save the authorizations
+       $self->{req}{authorizations} = [ keys %{{ map { $_ => undef } @{$content->{authorizations}} }} ];
+
         # Create challenges hash
         # Create challenges hash
-       %{$self->{challenges}} = ();
+       %{$self->{req}{challenges}} = ();
+
+       # Save finalize uri
+       $self->{req}{finalize} = $content->{finalize};
  
  
-       # Pending list
-       my @pending = ();
+       # Save location
+       $self->{req}{location} = $content->{location};
  
  
-       # Create or load auth request for each domain
+       # Save retry after
+       $self->{req}{retryafter} = $content->{retryafter};
+
+       # Save status
+       $self->{req}{status} = $content->{status};
+
+       # Extract authorizations
         map {
         map {
+               # Init uri
+               my $uri = $_;
+
                 # Init content
                 my $content = undef;
  
                 # Init file
                 # Init content
                 my $content = undef;
  
                 # Init file
-               my $file = $self->{config}{pending}.'/'.$self->{mail}.'.'.($self->{domain}{prod} ? 'prod' : 'staging').'/'.$_;
+               #XXX: tmpdir.'/'.<orderuri>.'/'.<authuri>
+               my $authFile = $self->{req}{pending}.'/'.encode_base64url($uri);
  
                 # Load auth request content or post a new one
                 #TODO: add more check on cache file ???
  
                 # Load auth request content or post a new one
                 #TODO: add more check on cache file ???
@@ -506,138 +763,208 @@ sub authorize {
                         #XXX: use eval to workaround a fatal in from_json
                         ! defined eval {
                                 # Check that file exists
                         #XXX: use eval to workaround a fatal in from_json
                         ! defined eval {
                                 # Check that file exists
-                               -f $file &&
+                               -f $authFile &&
                                 # Read it
                                 # Read it
-                               ($content = read_file($file)) &&
+                               ($content = read_file($authFile)) &&
                                 # Decode it
                                 ($content = from_json($content))
                         # Check expiration
                         } || (str2time($content->{expires}) <= time()+3600)
                 ) {
                         # Post new-authz request
                                 # Decode it
                                 ($content = from_json($content))
                         # Check expiration
                         } || (str2time($content->{expires}) <= time()+3600)
                 ) {
                         # Post new-authz request
-                       my $res = $self->_post($self->{'new-authz'}, {resource => 'new-authz', identifier => {type => 'dns', value => $_}, existing => 'accept'});
+                       my $res = $self->_post($uri, '');
  
                         # Handle error
                         unless ($res->is_success) {
  
                         # Handle error
                         unless ($res->is_success) {
-                               confess 'POST '.$self->{'new-authz'}.' for '.$_.' failed: '.$res->status_line;
+                               confess('POST '.$uri.' failed: '.$res->status_line);
                         }
  
                         # Decode content
                         $content = from_json($res->content);
  
                         }
  
                         # Decode content
                         $content = from_json($res->content);
  
-                       # Check domain
-                       unless (defined $content->{identifier}{value} && $content->{identifier}{value} eq $_) {
-                               confess 'domain matching '.$content->{identifier}{value}.' for '.$_.' failed: '.$res->status_line;
+                       # Check identifier
+                       unless (
+                               defined $content->{identifier} and
+                               defined $content->{identifier}{type} and
+                               defined $content->{identifier}{value}
+                       ) {
+                               confess('POST '.$uri.' missing identifier: '.$res->status_line);
+                       } else {
+                               unless (
+                                       (
+                                               $content->{identifier}{type} eq 'dns' or
+                                               $content->{identifier}{type} eq 'ip'
+                                       ) and
+                                       $content->{identifier}{value}
+                               ) {
+                                       confess('POST '.$uri.' invalid identifier: '.$res->status_line);
+                               }
                         }
  
                         # Check status
                         unless ($content->{status} eq 'valid' or $content->{status} eq 'pending') {
                         }
  
                         # Check status
                         unless ($content->{status} eq 'valid' or $content->{status} eq 'pending') {
-                               confess 'POST '.$self->{'new-authz'}.' for '.$_.' failed: '.$res->status_line;
+                               confess('POST '.$uri.' for '.$content->{identifier}{value}.' failed: '.$res->status_line);
                         }
  
                         # Write to file
                         }
  
                         # Write to file
-                       write_file($file, to_json($content));
+                       write_file($authFile, to_json($content));
                 }
  
                 # Add challenge
                 }
  
                 # Add challenge
-               %{$self->{challenges}{$_}} = (
+               %{$self->{req}{challenges}{$content->{identifier}{value}}} = (
                         status => $content->{status},
                         expires => $content->{expires},
                         status => $content->{status},
                         expires => $content->{expires},
-                       polls => []
+                       challenges => {},
+                       polls => {}
                 );
  
                 );
  
+               # Extract challenges
+               map {
+                       # Save if valid
+                       if ($_->{status} eq 'valid') {
+                               $self->{req}{challenges}{$content->{identifier}{value}}{status} = $_->{status};
+                       # Check is still polling
+                       } elsif ($content->{status} eq 'pending') {
+                               # Add to challenges list for later use
+                               $self->{req}{challenges}{$content->{identifier}{value}}{challenges}{$_->{type}} = {
+                                       status => $_->{status},
+                                       token => $_->{token},
+                                       url => $_->{url}
+                               };
+                       }
+               } @{$content->{challenges}};
+
+               # Set identifier
+               my $identifier = $content->{identifier}{value};
+
                 # Save pending data
                 # Save pending data
-               if ($content->{status} eq 'pending') {
-                       # Extract validation data
-                       foreach my $challenge (@{$content->{challenges}}) {
+               if ($self->{req}{challenges}{$identifier}{status} eq 'pending') {
+                       # Check challenges
+                       map {
                                 # One test already validated this auth request
                                 # One test already validated this auth request
-                               if ($self->{challenges}{$_}{status} eq 'valid') {
-                                       next;
-                               } elsif ($challenge->{status} eq 'valid') {
-                                       $self->{challenges}{$_}{status} = $challenge->{status};
-                                       next;
-                               } elsif ($challenge->{status} eq 'pending') {
-                                       # Handle check
-                                       if (
-                                               ($challenge->{type} =~ /^http-01$/ and $self->_httpCheck($_, $challenge->{token})) or
-                                               ($challenge->{type} =~ /^dns-01$/ and $self->_dnsCheck($_, $challenge->{token}))
-                                       ) {
-                                               # Post challenge request
-                                               my $res = $self->_post($challenge->{uri}, {resource => 'challenge', keyAuthorization => $challenge->{token}.'.'.$self->{account}{thumbprint}});
-
-                                               # Handle error
-                                               unless ($res->is_success) {
-                                                       confess 'POST '.$challenge->{uri}.' failed: '.$res->status_line;
-                                               }
-
-                                               # Extract content
-                                               my $content = from_json($res->content);
-
-                                               # Save if valid
-                                               if ($content->{status} eq 'valid') {
-                                                       $self->{challenges}{$_}{status} = $content->{status};
-                                               # Check is still polling
-                                               } elsif ($content->{status} eq 'pending') {
-                                                       # Add to poll list for later use
-                                                       push(@{$self->{challenges}{$_}{polls}}, {
-                                                               type => (split(/-/, $challenge->{type}))[0],
-                                                               status => $content->{status},
-                                                               poll => $content->{uri}
-                                                       });
+                               unless($self->{req}{challenges}{$identifier}{status} eq 'valid') {
+                                       # One challenge validated
+                                       if ($self->{req}{challenges}{$identifier}{challenges}{$_}{status} eq 'valid') {
+                                               $self->{req}{challenges}{$identifier}{status} = $self->{req}{challenges}{$identifier}{challenges}{$_}{status};
+                                       # This challenge is to be validated
+                                       } elsif ($self->{req}{challenges}{$identifier}{challenges}{$_}{status} eq 'pending') {
+                                               #TODO: implement tls-alpn-01 challenge someday if possible
+                                               if (
+                                                       ($_ eq 'http-01' and $self->_httpCheck($identifier, $self->{req}{challenges}{$identifier}{challenges}{$_}{token})) or
+                                                       ($_ eq 'dns-01' and $self->_dnsCheck($identifier, $self->{req}{challenges}{$identifier}{challenges}{$_}{token}))
+                                               ) {
+                                                       # Init file
+                                                       #XXX: tmpdir.'/'.<orderuri>.'/'.<authuri>
+                                                       my $authFile = $self->{req}{pending}.'/'.encode_base64url($self->{req}{challenges}{$identifier}{challenges}{$_}{url});
+
+                                                       # Reset content
+                                                       $content = undef;
+
+                                                       # Load auth request content or post a new one
+                                                       #TODO: add more check on cache file ???
+                                                       if (
+                                                               #XXX: use eval to workaround a fatal in from_json
+                                                               ! defined eval {
+                                                                       # Check that file exists
+                                                                       -f $authFile &&
+                                                                       # Read it
+                                                                       ($content = read_file($authFile)) &&
+                                                                       # Decode it
+                                                                       ($content = from_json($content))
+                                                               #TODO: Check file modification time ? There is no expires field in json answer
+                                                               }# || (str2time($content->{expires}) <= time()+3600)
+                                                       ) {
+                                                               # Post challenge request
+                                                               my $res = $self->_post(
+                                                                       $self->{req}{challenges}{$identifier}{challenges}{$_}{url},
+                                                                       {keyAuthorization => $self->{req}{challenges}{$identifier}{challenges}{$_}{token}.'.'.$self->{account}{thumbprint}}
+                                                               );
+
+                                                               # Handle error
+                                                               unless ($res->is_success) {
+                                                                       confess('POST '.$self->{req}{challenges}{$identifier}{challenges}{$_}{url}.' failed: '.$res->status_line);
+                                                               }
+
+                                                               # Extract content
+                                                               $content = from_json($res->content);
+
+                                                               # Write to file
+                                                               write_file($authFile, to_json($content));
+                                                       }
+
+                                                       # Save if valid
+                                                       if ($content->{status} eq 'valid') {
+                                                               $self->{req}{challenges}{$identifier}{status} = $content->{status};
+                                                       # Check is still polling
+                                                       } elsif ($content->{status} eq 'pending') {
+                                                               # Add to poll list for later use
+                                                               $self->{req}{challenges}{$identifier}{polls}{$content->{type}} = 1;
+                                                       }
                                                 }
                                         }
                                 }
                                                 }
                                         }
                                 }
-                       }
+                       } keys %{$self->{req}{challenges}{$identifier}{challenges}};
+
                         # Check if check is challenge still in pending and no polls
                         # Check if check is challenge still in pending and no polls
-                       if ($self->{challenges}{$_}{status} eq 'pending' && scalar @{$self->{challenges}{$_}{polls}} == 0) {
+                       if ($self->{req}{challenges}{$identifier}{status} eq 'pending' && scalar keys %{$self->{req}{challenges}{$identifier}{polls}} == 0) {
                                 # Loop on all remaining challenges
                                 # Loop on all remaining challenges
-                               foreach my $challenge (@{$content->{challenges}}) {
+                               map {
+                                       #TODO: implement tls-alpn-01 challenge someday if possible
                                         # Display help for http-01 check
                                         # Display help for http-01 check
-                                       if ($challenge->{type} eq 'http-01') {
-                                               print STDERR 'Create URI http://'.$_.'/.well-known/acme-challenge/'.$challenge->{token}.' with content '.$challenge->{token}.'.'.$self->{account}{thumbprint}."\n";
+                                       if ($_ eq 'http-01') {
+                                               print STDERR 'Require URI http://'.$identifier.'/.well-known/acme-challenge/'.$self->{req}{challenges}{$identifier}{challenges}{$_}{token}.' with "'.$self->{req}{challenges}{$identifier}{challenges}{$_}{token}.'.'.$self->{account}{thumbprint}.'"'."\n";
                                         # Display help for dns-01 check
                                         # Display help for dns-01 check
-                                       } elsif ($challenge->{type} eq 'dns-01') {
-                                               print STDERR 'Create TXT record _acme-challenge.'.$_.'. with value '.(((sha256_base64($challenge->{token}.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r)."\n";
+                                       } elsif ($_ eq 'dns-01') {
+                                               print STDERR 'Require TXT record _acme-challenge.'.$identifier.'. with "'.(((sha256_base64($self->{req}{challenges}{$identifier}{challenges}{$_}{token}.'.'.$self->{account}{thumbprint})) =~ s/=+\z//r) =~ tr[+/][-_]r).'"'."\n";
                                         }
                                         }
-                               }
+                               } keys %{$self->{req}{challenges}{$identifier}{challenges}};
                         }
                 }
                         }
                 }
-       } @{$self->{domains}};
+       } @{$self->{req}{authorizations}};
  
         # Init max run
  
         # Init max run
-       my $remaining = 10;
+       my $remaining = TIMEOUT;
  
         # Poll pending
  
         # Poll pending
-       while (--$remaining >= 0 and scalar map { $_->{status} eq 'valid' ? 1 : (); } values %{$self->{challenges}}) {
+       while (--$remaining >= 0 and scalar map { ($_->{status} eq 'pending' and scalar keys %{$_->{polls}}) ? 1 : (); } values %{$self->{req}{challenges}}) {
                 # Sleep
                 sleep(1);
                 # Sleep
                 sleep(1);
+
                 # Poll remaining pending
                 map {
                 # Poll remaining pending
                 map {
-                       # Init domain
-                       my $domain = $_;
+                       # Init identifier
+                       my $identifier = $_;
  
                         # Poll remaining polls
                         map {
  
                         # Poll remaining polls
                         map {
-                               # Create a request
-                               my $req = HTTP::Request->new(GET => $_->{poll});
+                               # Init file
+                               #XXX: tmpdir.'/'.<orderuri>.'/'.<authuri>
+                               my $authFile = $self->{req}{pending}.'/'.encode_base64url($self->{req}{challenges}{$identifier}{challenges}{$_}{url});
  
  
-                               # Get request
-                               my $res = $ua->request($req);
+                               # Post challenge request
+                               #XXX: no cache here we force update
+                               my $res = $self->_post(
+                                       $self->{req}{challenges}{$identifier}{challenges}{$_}{url},
+                                       {keyAuthorization => $self->{req}{challenges}{$identifier}{challenges}{$_}{token}.'.'.$self->{account}{thumbprint}}
+                               );
  
                                 # Handle error
                                 unless ($res->is_success) {
  
                                 # Handle error
                                 unless ($res->is_success) {
-                                       carp 'GET '.$self->{challenges}{$_}{http_challenge}.' failed: '.$res->status_line if ($self->{debug});
+                                       confess('POST '.$self->{req}{challenges}{$identifier}{challenges}{$_}{url}.' failed: '.$res->status_line);
                                 }
  
                                 # Extract content
                                 }
  
                                 # Extract content
-                               my $content = from_json($res->content);
+                               $content = from_json($res->content);
+
+                               # Write to file
+                               write_file($authFile, to_json($content));
  
                                 # Save status
                                 if ($content->{status} ne 'pending') {
  
                                 # Save status
                                 if ($content->{status} ne 'pending') {
-                                       $self->{challenges}{$domain}{status} = $content->{status};
+                                       $self->{req}{challenges}{$identifier}{status} = $content->{status};
                                 }
                                 }
-                       } @{$self->{challenges}{$_}{polls}};
-               } map { $self->{challenges}{$_}{status} eq 'pending' ? $_ : (); } keys %{$self->{challenges}};
+                       } keys %{$self->{req}{challenges}{$identifier}{polls}};
+               } map { $self->{req}{challenges}{$_}{status} eq 'pending' ? $_ : (); } keys %{$self->{req}{challenges}};
         } 
  
         # Check if thumbprint is writeable
         } 
  
         # Check if thumbprint is writeable
@@ -646,26 +973,122 @@ sub authorize {
                 write_file($self->{config}{thumbprint}, '');
         }
  
                 write_file($self->{config}{thumbprint}, '');
         }
  
-       # Stop here with remaining chanllenge
-       if (scalar map { ! defined $_->{status} or $_->{status} ne 'valid' ? 1 : (); } values %{$self->{challenges}}) {
-               # Deactivate all activated domains 
-               #XXX: not implemented by letsencrypt
+       # Stop here with remaining challenge
+       if (scalar map { $_->{status} ne 'valid' ? 1 : (); } values %{$self->{req}{challenges}}) {
+               #TODO: Deactivate all activated domains ?
+               #XXX: see if implemented by letsencrypt ACMEv2
                 #map {
                 #       # Post deactivation request
                 #       my $res = $self->_post($self->{challenges}{$_}{http_uri}, {resource => 'authz', status => 'deactivated'});
                 #       # Handle error
                 #       unless ($res->is_success) {
                 #map {
                 #       # Post deactivation request
                 #       my $res = $self->_post($self->{challenges}{$_}{http_uri}, {resource => 'authz', status => 'deactivated'});
                 #       # Handle error
                 #       unless ($res->is_success) {
-               #               confess 'POST '.$self->{challenges}{$_}{http_uri}.' failed: '.$res->status_line;
+               #               confess('POST '.$self->{challenges}{$_}{http_uri}.' failed: '.$res->status_line);
                 #       }
                 #} map { $self->{challenges}{$_}{status} eq 'valid' ? $_ : () } keys %{$self->{challenges}};
  
                 # Stop here as a domain of csr list failed authorization
                 #       }
                 #} map { $self->{challenges}{$_}{status} eq 'valid' ? $_ : () } keys %{$self->{challenges}};
  
                 # Stop here as a domain of csr list failed authorization
-               if ($self->{debug}) {
-                       my @domains = map { ! defined $self->{challenges}{$_}{status} or $self->{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{challenges}};
-                       confess 'Fix the challenge'.(scalar @domains > 1?'s':'').' for domain'.(scalar @domains > 1?'s':'').': '.join(', ', @domains);
-               } else {
-                       exit EXIT_FAILURE;
+               if ($self->{verbose}) {
+                       my @domains = map { $self->{req}{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{req}{challenges}};
+                       #my @domains = map { ! defined $self->{challenges}{$_}{status} or $self->{challenges}{$_}{status} ne 'valid' ? $_ : (); } keys %{$self->{challenges}};
+                       carp 'Fix challenge'.(scalar @domains > 1?'s':'').' for: '.join(', ', @domains);
                 }
                 }
+               exit EXIT_FAILURE;
+       }
+
+       # With pending
+       if ($self->{req}{status} eq 'pending') {
+               # Init max run
+               $remaining = TIMEOUT;
+
+               # Iterate until processing order becomes ready
+               while (--$remaining >= 0 and $self->{req}{status} eq 'pending') {
+                       # Sleep
+                       sleep($self->{req}{retryafter});
+
+                       # Refresh content
+                       my $res = $self->_post($self->{req}{location}, '');
+
+                       # Handle error
+                       unless ($res->is_success) {
+                               confess('POST '.$self->{req}{location}.' failed: '.$res->status_line);
+                       }
+
+                       # Handle error
+                       unless ($res->content) {
+                               confess('POST '.$self->{req}{location}.' empty content: '.$res->status_line);
+                       }
+
+                       # Handle error
+                       unless ($res->headers->{location}) {
+                               confess('POST '.$self->{req}{location}.' missing location: '.$res->status_line);
+                       }
+
+                       # Extract content
+                       $content = from_json($res->content);
+
+                       # Check status
+                       unless ($content->{status} eq 'ready' or $content->{status} eq 'pending') {
+                               confess('POST '.$self->{req}{location}.' invalid status: '.$content->{status}.': '.$res->status_line);
+                       }
+
+                       # Store location
+                       $self->{req}{location} = $res->headers->{location};
+
+                       # Store retry after
+                       $self->{req}{retryafter} = (defined $res->headers->{'retry-after'} and $res->headers->{'retry-after'}) ? $res->headers->{'retry-after'} : 1;
+
+                       # Store status
+                       $self->{req}{status} = $content->{status};
+
+                       # Write to file
+                       write_file($file, to_json($content));
+               }
+
+               # Without ready state
+               unless($self->{req}{status} eq 'ready') {
+                       confess('POST '.$self->{req}{location}.' invalid status: '.$self->{req}{status});
+               }
+       }
+}
+
+# Generate certificate request
+sub genCsr {
+       my ($self) = @_;
+
+       # Init csr file
+       #XXX: tmpdir.'/'.<orderuri>.'/'.<thumbprint>.':'.<mail>.':'.join(',', @domains).'.<prodstaging>.'.CSR_SUFFIX
+       $self->{req}{csr} = $self->{req}{pending}.'/'.(((sha256_base64(join(',', ($self->{domain}{domain}, @{$self->{domain}{domains}})))) =~ s/=+\z//r) =~ tr[+/][-_]r).CSR_SUFFIX;
+
+       # Reuse certificate request file without domain/mail change
+       if (! -f $self->{req}{csr}) {
+               # Openssl config template
+               my $oct = File::Temp->new(UNLINK => 0);
+
+               # Save data start position
+               my $pos = tell DATA;
+
+               # Init counter
+               my ($i, $j) = (0) x 2;
+
+               # Prepare mail
+               my $mail = join("\n", map { $i++.'.emailAddress'."\t\t\t".'= '.$_; } @{$self->{domain}{mail}});
+
+               # Load template from data
+               map { s/__EMAIL_ADDRESS__/$mail/; s/__COMMON_NAME__/$self->{domain}{domain}/; print $oct $_; } <DATA>;
+
+               # Reseek data
+               seek(DATA, $pos, 0);
+
+               # Append domain names and ips
+               $i = 0;
+               map { print $oct (is_public_ip($_)?'IP.'.$j++:'DNS.'.$i++).' = '.$_."\n"; } ($self->{domain}{domain}, @{$self->{domain}{domains}});
+
+               # Generate csr
+               #XXX: read certificate request with: openssl req -inform DER -in $self->{req}{csr} -text
+               capturex('openssl', ('req', '-new', '-outform', 'DER', '-key', $self->{domain}{key}, '-config', $oct->filename, '-out', $self->{req}{csr}));
+
+               # Close oct
+               close($oct);
         }
  }
  
         }
  }
  
@@ -674,7 +1097,7 @@ sub issue {
         my ($self) = @_;
  
         # Open csr file
         my ($self) = @_;
  
         # Open csr file
-       open(my $fh, '<', $self->{config}{pending}.'/'.$self->{mail}.'.'.($self->{domain}{prod} ? 'prod' : 'staging').'/'.REQUEST_CSR) or die $!;
+       open(my $fh, '<', $self->{req}{csr}) or die $!;
  
         # Load csr
         my $csr = encode_base64url(join('', <$fh>) =~ s/^\0+//r);
  
         # Load csr
         my $csr = encode_base64url(join('', <$fh>) =~ s/^\0+//r);
@@ -682,39 +1105,177 @@ sub issue {
         # Close csr file
         close($fh) or die $!;
  
         # Close csr file
         close($fh) or die $!;
  
-       # Post certificate request
-       my $res = $self->_post($self->{'new-cert'}, {resource => 'new-cert', csr => $csr});
+       # Init file
+       #XXX: tmpdir.'/'.<orderuri>.'/'.<finalizeuri>
+       my $file = $self->{req}{pending}.'/'.encode_base64url($self->{req}{finalize});
+
+       # Init content
+       my $content = undef;
+
+       # Init res
+       my $res = undef;
+
+       # Load auth request content or post a new one
+       #TODO: add more check on cache file ???
+       if (
+               #XXX: use eval to workaround a fatal in from_json
+               ! defined eval {
+                       # Check that file exists
+                       -f $file &&
+                       # Read it
+                       ($content = read_file($file)) &&
+                       # Decode it
+                       ($content = from_json($content))
+               # Check file modification time ? There is no expires field in json answer
+               } || (str2time($content->{expires}) <= time()+3600)
+       ) {
+               # Post certificate request
+               $res = $self->_post($self->{req}{finalize}, {csr => $csr});
  
  
-       # Handle error
-       unless ($res->is_success) {
-               confess 'POST '.$self->{'new-cert'}.' failed: '.$res->status_line;
+               # Handle error
+               unless ($res->is_success) {
+                       confess('POST '.$self->{req}{finalize}.' failed: '.$res->status_line);
+               }
+
+               # Extract content
+               $content = from_json($res->content);
+
+               # Check status
+               unless ($content->{status} eq 'processing' or $content->{status} eq 'valid') {
+                       confess('POST '.$self->{req}{location}.' invalid status: '.$content->{status}.': '.$res->status_line);
+               }
+
+               # Store location
+               # XXX: used with async response
+               $content->{location} = $res->headers->{location};
+
+               # Store retry after
+               $content->{retryafter} = (defined $res->headers->{'retry-after'} and $res->headers->{'retry-after'}) ? $res->headers->{'retry-after'} : 1;
+
+               # Write to file
+               write_file($file, to_json($content));
         }
  
         }
  
-       # Open crt file
-       open($fh, '>', $self->{domain}{cert}) or die $!;
+       # Store location
+       $self->{req}{location} = $content->{location};
  
  
-       # Convert to pem
-       print $fh '-----BEGIN CERTIFICATE-----'."\n".encode_base64($res->content).'-----END CERTIFICATE-----'."\n";
+       # Store restry after
+       $self->{req}{retryafter} = $content->{retryafter};
  
  
-       # Create a request
-       my $req = HTTP::Request->new(GET => ACME_CERT);
+       # Store status
+       $self->{req}{status} = $content->{status};
  
  
-       # Get request
-       $res = $ua->request($req);
+       # With processing
+       if ($self->{req}{status} eq 'processing') {
+               # Init max run
+               my $remaining = TIMEOUT;
  
  
-       # Handle error
-       unless ($res->is_success) {
-               carp 'GET '.ACME_CERT.' failed: '.$res->status_line if ($self->{debug});
+               # Iterate until processing order becomes ready
+               while (--$remaining >= 0 and $self->{req}{status} eq 'processing') {
+                       # Sleep
+                       sleep($self->{req}{retryafter});
+
+                       # Refresh content
+                       my $res = $self->_post($self->{req}{location}, '');
+
+                       # Handle error
+                       unless ($res->is_success) {
+                               confess('POST '.$self->{req}{location}.' failed: '.$res->status_line);
+                       }
+
+                       # Handle error
+                       unless ($res->content) {
+                               confess('POST '.$self->{req}{location}.' empty content: '.$res->status_line);
+                       }
+
+                       # Handle error
+                       unless ($res->headers->{location}) {
+                               confess('POST '.$self->{req}{location}.' missing location: '.$res->status_line);
+                       }
+
+                       # Extract content
+                       $content = from_json($res->content);
+
+                       # Check status
+                       unless ($content->{status} eq 'valid' or $content->{status} eq 'processing') {
+                               confess('POST '.$self->{req}{location}.' invalid status: '.$content->{status}.': '.$res->status_line);
+                       }
+
+                       # Store location
+                       # XXX: used with async response
+                       $self->{req}{location} = $res->headers->{location};
+
+                       # Store retry after
+                       $self->{req}{retryafter} = (defined $res->headers->{'retry-after'} and $res->headers->{'retry-after'}) ? $res->headers->{'retry-after'} : 1;
+
+                       # Store status
+                       $self->{req}{status} = $content->{status};
+
+                       # Write to file
+                       write_file($file, to_json($content));
+               }
+
+               # Without valid state
+               unless($self->{req}{status} eq 'valid') {
+                       confess('POST '.$self->{req}{location}.' invalid status: '.$self->{req}{status});
+               }
         }
  
         }
  
-       # Append content
-       print $fh $res->content;
+       # Set certificate
+       $self->{req}{certificate} = $content->{certificate};
+
+       # Set file
+       #XXX: tmpdir.'/'.<orderuri>.'/'.<certificateuri>
+       $file = $self->{req}{pending}.'/'.encode_base64url($self->{req}{certificate});
+
+       # Reset content
+       $content = undef;
+
+       # Load certificate request content or post a new one
+       #TODO: add more check on cache file ???
+       if (
+               #XXX: use eval to workaround a fatal in from_json
+               ! defined eval {
+                       # Check that file exists
+                       -f $file &&
+                       # Read it
+                       ($content = read_file($file))
+               # Check file modification time ? There is no expires field in json answer
+               #TODO: add a checck on modification time ???
+               }# || (str2time($content->{expires}) <= time()+3600)
+       ) {
+               # Post certificate request
+               $res = $self->_post($self->{req}{certificate}, '');
  
  
-       # Close file
-       close($fh) or die $!;
+               # Handle error
+               unless ($res->is_success) {
+                       confess('POST '.$self->{req}{certificate}.' failed: '.$res->status_line);
+               }
+
+               # Set content
+               $content = $res->content;
+
+               # Write to file
+               write_file($file, $content);
+       }
+
+       # Write to raw cert file
+       write_file($self->{domain}{cert}.'.raw', $content);
+
+       # Remove multi-line jump
+       $content =~ s/\n\n/\n/s;
+
+       # Remove ISRG Root X1 certificate signed by DST Root CA X3 present after second multi-line jump
+       #$content =~ s/\n\n.*//s;
+
+       # Remove trailing line jump
+       chomp $content;
+
+       # Write to cert file
+       write_file($self->{domain}{cert}, $content);
  
         # Print success
  
         # Print success
-       carp 'Success, pem certificate in '.$self->{domain}{cert} if ($self->{debug});
+       carp 'Saved '.$self->{domain}{cert}.' pem certificate' if ($self->{verbose});
  }
  
  1;
  }
  
  1;
@@ -747,7 +1308,7 @@ localityName                       = Locality Name
  organizationName               = Organization Name
  organizationalUnitName         = Organizational Unit Name
  commonName                     = __COMMON_NAME__
  organizationName               = Organization Name
  organizationalUnitName         = Organizational Unit Name
  commonName                     = __COMMON_NAME__
-emailAddress                   = __EMAIL_ADDRESS__
+__EMAIL_ADDRESS__
  
  [ v3_req ]
  basicConstraints = CA:false
  
  [ v3_req ]
  basicConstraints = CA:false