Closed tykeal closed 3 years ago
@tykeal, could you describe the steps you took to force the default CA?
@oxc, I ended up having to do the following on my puppet controller:
sudo -i
cd /opt/acme.sh
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh
I also needed to do
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_production.conf
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_staging.conf
The first one just fixes it for any new registered accounts. It didn't fix it for the already registered accounts.
I'll note I discovered this because of some upgrades I was doing and it caused my acme.sh install to get fully updated to latest. It then tried to use zerossl even though according to the documentation it's supposed to use whatever registrar your certs are with but it kept failing because I have not actively registered a zerossl account which seems to be required.
I'll add new parameters to specify the CA and it will of course default to Let's Encrypt.
I'll note that according to the help in acme.sh it's possible to pass the server as a CLI parameter, so maybe that would be the best way forward for all the calls that are generated by the module? Alternatively, if the default CA does get set then when doing CLI troubleshooting it would be easier ;)
Thanks for the hint. That's how I've implemented it. Give me some time to test it before issueing a new release.
Version 3.0.0 has just been release, it should fix this issue. In order to properly address this I had to introduce some backwards-incompatible changes, but I think this aligns with the recent changes in acme.sh and is acceptible with this regard.
Please let me know if you find any issues in the new release, I'm prepared to issue a hotfix.
New versions of acme.sh now default to zerossl which fails, especially if you've been using LetsEncrypt for a while.
It would be good to add configuration to the module to allow selecting of the different CAs. Right now the only option is 'production' or 'staging' and that assumes an LE CA. However, acme.sh now has support for several different servers other than just LE.
See: https://github.com/acmesh-official/acme.sh/wiki/Server
I had to go force my default ca on my account configs to get around this after doing an upgrade!