External Account Binding for haproxy-ingress acme client

[outerim]

Since letsencrypt’s old root cert expiration (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) we’ve had an issue with some older clients being unable to reach services encrypted with cert-signer: acme I’m aware that there are some other acme supporting certificate signers out there and zerossl looks interesting. I believe their browser support will be broader than letsencrypt. Theoretically this should be as simple as dropping in a new endpoint into the haproxy-ingress acme configuration. Unfortunately some acme providers require what are called EAB credentials (External Account Binding) essentially like an API token or some such that allows you to reference an account created in their system. haproxy-ingress doesn’t support EAB auth in it’s acme client.

I've done some cursory looking at other go acme clients that support EAB and it doesn't seem like it would be too challenging to implement. I'm open to taking a stab at this but was curious.

Is this of general interest to the community?

Has anyone else done work in this vein already I could piggy back off of?

Is there a reason we wouldn't want to incorporate ACME EAB into haproxy-ingress?

[jcmoraisjr]

Hi thanks for the suggestion and sorry about taking so long for the answer.

The proposed improvement is very welcome provided that backward compatibility is maintained, as much as the help in evolving it. The internals that maintain the current acme signer implementation is a bit awkward, but you probably just need to understand what the interface expects and you should be fine. Let me know if I can help in any way, you can find my at slack. I'm not aware of any improvement related with it, so your effort won't be duplicated for sure.