do-know
RFE: support other ACME-based CAs
Hello,
I tried to use CAs that support the ACME protocol (other than Let's Encrypt itself), but none of them worked. It might be worth looking at.
I used the list of API endpoints from https://github.com/acmesh-official/acme.sh/wiki/Server using the following command:
FQDN=my.server.name
SERVER=... # API endpoint, see below
LE_DIR=/etc/pki/le
/usr/local/bin/le.pl --email [email protected] --key $LE_DIR/account.key \
--csr $LE_DIR/$FQDN.csr \
--crt $LE_DIR/$FQDN.crt \
--path /var/www/html/.well-known/acme-challenge \
--directory $SERVER \
--unlink \
--renew 300 --live
EDIT: never mind the following, I have just discovered the --directory option: ~~One problem is that le.pl adds a /directory suffix after the --server parameter, but not all CAs have this. Maybe the meaning of this argument should be changed to get the directory listing directly from the given URL? If backwards compatibility is a problem, a new argument should be added (say, --endpoint).~~
-
buypass https://api.buypass.com/acme/directory the --email switch is required 2022/08/30 08:34:16 Current contact details: [email protected] 2022/08/30 08:34:18 Failed to receive the challenge. Expected JWS header is missing: jwk
-
zerossl https://acme.zerossl.com/v2/DV90/directory 2022/08/30 08:36:31 Registering the account key 2022/08/30 08:36:41 The request must include a value for the "externalAccountBinding" field
-
ssl,com https://acme.ssl.com/sslcom-dv-rsa
-
google https://dv.acme-v02.api.pki.goog/directory 2022/08/30 08:37:53 Registering the account key 2022/08/30 08:37:53 External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.
Thanks,
-Yenya
Basic EAB support has been actually added a while ago, but was never fully completed and pushed. This should be now available on the 'beta' branch, and should be released soon. This has been tested with Let's Encrypt, ZeroSSL and Buypass. I haven't tested that with Google or SSL.com, but those should also be directly supported now. Some examples:
- Use ZeroSSL, providing the
serverparameter explicitly (to be deprecated), and providing eab-kid and eab-hmac-key:
le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --server https://acme.zerossl.com/v2/DV90 --eab-kid ... --eab-hmac-key ... --key my.key
- Use ZeroSSL, providing the
directoryparameter explicitly, and providing eab-kid and eab-hmac-key:
le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --directory https://acme.zerossl.com/v2/DV90/directory --eab-kid ... --eab-hmac-key ... --key my.key
- Use ZeroSSL, providing the
caparameter, and providing eab-kid and eab-hmac-key:
le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca zerossl.com --eab-kid ... --eab-hmac-key ... --key my.key --live
(notice the --live parameter in this case - that is because there is no staging environment, so running the command without --live would produce an error "CA does not support staging environment, please specify 'live' explicitly.")
- Use Buypass.com (staging environment):
le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca buypass.com --key my.key --email "[email protected]"
(notice that email parameter is mandatory for this CA, and without it you would get an error "Email is a required contact")
- Use Buypass.com (production environment):
le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca buypass.com --key my.key --email "[email protected]" --live
(notice that email parameter is mandatory for this CA, and without it you would get an error "Email is a required contact")
The CAs which are directly supported by name are currently these: buypass.com, google.com, letsencrypt.org, ssl.com, zerossl.com.
Pushed v0.39 with the EAB support and direct support of known ACME-compatible CAs by name.