Closed grindsa closed 4 years ago
meyskens
commented
4 years ago We should already do this in https://github.com/jetstack/cert-manager/blob/46eaf3d1a4b5e977b612393300f0f11978ebf72e/pkg/issuer/acme/setup.go#L321
Not sure why acme2certifier is not accepting this. Does it use anything like EAB? Do you have any error logs where this is shown? Thanks!
munnerz
commented
4 years ago Are you by any chance requiring the acceptTOS field on onlyReturnExisting: "true" requests as well? If an account is already registered, a call to this endpoint should return a Location header pointing to the registered account URL (as well as potentially a copy of the Account object).
We have not seen this kind of report against other ACME server implementations, and we currently run our end-to-end suite with the Pebble ACME server in strict mode, so I suspect that this is a bug/divergence from the spec in your own ACME implementation rather than in cert-manager.
grindsa
commented
4 years ago I did some further investigation. It seems that cert-manager sets the "termsOfServiceAgreed" field only if there is a "termsOfService" - url being part of the response to a directory resource request. Although this behavior is different than the one from other acme-clients it makes perfectly sense.
We adapted the behavior in acme2certifier and where able to register an account successfully.
Thank you for help.
Hi,
We are running cert-manager against our acme-proxy acme2certifier that requires an acceptance of the terms-of-service during account registration. According to RFC8555 this can be achieved by sending the field “termsOfServiceAgreed” with value “True” in the body of the account registration request.
Is there an option we can set as part of the Issuer configuration forcing cert-manager to include this field? Thank you for your help and have a nice day. /G.
Environment details::
/kind bug