search

dehydrated-io / dehydrated

letsencrypt/acme client implemented as a shell-script – just add water
https://dehydrated.io
MIT License
5.96k stars 716 forks source link

RFC8555#7.3.4 #854

Closed CasualRascal closed 2 years ago

CasualRascal commented 2 years ago

I ran into a problem with SSL.com

The CA also allows issuing free SSL certificates, but it requires users to sign up for an account on their website and providing an account key and hmac key when creating an ACME account via the ACME client.

This behavior is described on this page of their website and is also described in RFC8555#7.3.4

Please add this capability to dehydrated.

P.S. this is a beautiful script, I love it. Please keep up the great work.

lukas2511 commented 2 years ago

Dehydrated fully supports EAB, just set EAB_KID and EAB_HMAC_KEY in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway.

CasualRascal commented 2 years ago

You are right it works* both with the parameter --ca https://acme.ssl.com/sslcom-dv-ecc and --ca https://acme.ssl.com/sslcom-dv-rsa

I tried adding a preset for it but the preset would not work at all.

--- dehydrated  2022-01-13 19:08:55.674048326 +0100
+++ dehydrated-sslcom   2022-01-13 19:11:09.250614925 +0100
@@ -344,9 +344,11 @@
   CA_LETSENCRYPT_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
   CA_BUYPASS="https://api.buypass.com/acme/directory"
   CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
+  CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
+  CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"

   # Default values
-  CA="letsencrypt"
+  CA="sslcom-rsa"
   OLDCA=
   CERTDIR=
   ALPNCERTDIR=
@@ -470,6 +472,10 @@
     CA="${CA_BUYPASS}"
   elif [ "${CA}" = "buypass-test" ]; then
     CA="${CA_BUYPASS_TEST}"
+  elif [ "${CA}" = "sslcom-rsa" ]; then
+    CA="${CA_SSLCOM_RSA}"
+  elif [ "${CA}" = "sslcom-ecc" ]; then
+    CA="${CA_SSLCOM_ECC}"
   fi

   if [[ -z "${OLDCA}" ]] && [[ "${CA}" = "https://acme-v02.api.letsencrypt.org/directory" ]]; then

Could you add the presets? I am definitely missing something.

*I have been able to create an account and request valid certificates, however there is no API support. Something like the Zero SSL special sauce, but SSL.com flavored. For my purposes, this does not concern me.

adrian5 commented 10 months ago

Dehydrated fully supports EAB, just set EAB_KID and EAB_HMAC_KEY in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway.

I think adding this to examples/config would be helpful. That's where I looked for it before landing here.