When acme-client is run with -v, show the account URI from the Location

header sent by the server in response to the newAccount API call (used for
every cert request). This is useful if you want to set a CAA DNS record
restricting issuance to a specific user account, rather than just "all of
$whichever_acme_CA".  ok florian

1 files changed, 14 insertions, 3 deletions

diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index 3b53ccfe527..79dcadf3873 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/*	$Id: netproc.c,v 1.35 2024/04/28 10:09:25 tb Exp $ */
+/*	$Id: netproc.c,v 1.36 2024/10/07 23:47:00 sthen Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -359,7 +359,7 @@ donewacc(struct conn *c, const struct capaths *p, const char *contact)
 {
 	struct jsmnn	*j = NULL;
 	int		 rc = 0;
-	char		*req, *detail, *error = NULL;
+	char		*req, *detail, *error = NULL, *accturi = NULL;
 	long		 lc;
 
 	if ((req = json_fmt_newacc(contact)) == NULL)
@@ -384,6 +384,12 @@ donewacc(struct conn *c, const struct capaths *p, const char *contact)
 	else
 		rc = 1;
 
+	if (c->kid != NULL) {
+		if (stravis(&accturi, c->kid, VIS_SAFE) != -1)
+			dodbg("account key: %s", accturi);
+		free(accturi);
+	}
+
 	if (rc == 0 || verbose > 1)
 		buf_dump(&c->buf);
 	free(req);
@@ -399,7 +405,7 @@ static int
 dochkacc(struct conn *c, const struct capaths *p, const char *contact)
 {
 	int		 rc = 0;
-	char		*req;
+	char		*req, *accturi = NULL;
 	long		 lc;
 
 	if ((req = json_fmt_chkacc()) == NULL)
@@ -417,6 +423,11 @@ dochkacc(struct conn *c, const struct capaths *p, const char *contact)
 
 	if (c->kid == NULL)
 		rc = 0;
+	else {
+		if (stravis(&accturi, c->kid, VIS_SAFE) != -1)
+			dodbg("account key: %s", accturi);
+		free(accturi);
+	}
 
 	if (rc == 0 || verbose > 1)
 		buf_dump(&c->buf);