felixfontein
commented
1 year ago Is there any way to test/reproduce this (without being a customer of Sectigo)?
Closed dansou901 closed 1 year ago
felixfontein
commented
1 year ago Is there any way to test/reproduce this (without being a customer of Sectigo)?
dansou901
commented
1 year ago I'm afraid that's not possible, sorry. But I can test for you once you have something ready. The only way I can think of is another (open) provider which offers certificates without challenges with only eab, or you have to setup your own acme server to test against.
felixfontein
commented
1 year ago Do I understand it correctly that you basically need a special value for the challenge module option, say no challenge, that tells the module to ignore the challenges, to not try to do the validate call for a challenge, but to simply wait for every authz to become valid?
(I don't want to change the way that acme_certificate needs to be called twice. The first call starts the order, the second call completes the order. Making the second call dependent on the specific challenge makes the UX of this module even worse than it already is IMO.)
dansou901
commented
1 year ago Yes, that's about it. Additionally to the no challenge option, we need to send eab credentials, like already implemented in the acme_account module. When we request certificates, we don't do challenges, but just provide the eab credentials. They are needed for registering the account as well as requesting certificates with the registered account.
dansou901
commented
1 year ago That the module needs to be called twice is fine, so the play can wait for the acme server issuing the certificate. That can take a while sometimes at Sectigo.
felixfontein
commented
1 year ago EEB credentials are not needed for certificates, they are needed for setting up the account with acme_account (https://www.rfc-editor.org/rfc/rfc8555#section-7.3.4). Once the account is linked to the EEB credentials, you shouldn't need the EEB credentials again. EEB credentials aren't part of the order process (https://www.rfc-editor.org/rfc/rfc8555#section-7.4).
dansou901
commented
1 year ago Ok, maybe with the acme clients I used before registering the account was included in the step with issuing the certificates, so I never separated those steps. So it should be enough to just clear out the challenges. Thanks!
felixfontein
commented
1 year ago I created a PR for this: #615
Could you please test it? Thanks!
dansou901
commented
1 year ago I will test this first thing tomorrow. Thanks for the quick reactions!
dansou901
commented
1 year ago Just tested and could successfully request a certificate with the "no challenge" option. PR can be merged now (as soon as CI is green of course). Thanks for the quick fix!
SUMMARY
Private CAs like Sectigo, which use external account binding, don't require challenges. It should be possible to create certificates without challenges against these endpoints.
ISSUE TYPE
COMPONENT NAME
community.crypto.acme_certificate
ADDITIONAL INFORMATION
For now, acme_certificate has to be run twice. First, the challenge has to be created, in the last step the challenge has to be verified. When running against ACME endpoints which require only external account binding, acme_certificate should be run only once. The external account binding data could be organized the same way as it is used in acme_account.