acme.sh now defaults to zerossl

markt-de / puppet-acme

Centralized SSL certificate management using acme.sh and the ACME protocol

https://forge.puppet.com/markt/acme

Apache License 2.0

9 stars 17 forks source link

acme.sh now defaults to zerossl #33

Closed tykeal closed 3 years ago

tykeal commented 3 years ago

New versions of acme.sh now default to zerossl which fails, especially if you've been using LetsEncrypt for a while.

It would be good to add configuration to the module to allow selecting of the different CAs. Right now the only option is 'production' or 'staging' and that assumes an LE CA. However, acme.sh now has support for several different servers other than just LE.

See: https://github.com/acmesh-official/acme.sh/wiki/Server

I had to go force my default ca on my account configs to get around this after doing an upgrade!

oxc commented 3 years ago

@tykeal, could you describe the steps you took to force the default CA?

tykeal commented 3 years ago

@oxc, I ended up having to do the following on my puppet controller:

sudo -i
cd /opt/acme.sh
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh

I also needed to do

./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_production.conf
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_staging.conf

The first one just fixes it for any new registered accounts. It didn't fix it for the already registered accounts.

I'll note I discovered this because of some upgrades I was doing and it caused my acme.sh install to get fully updated to latest. It then tried to use zerossl even though according to the documentation it's supposed to use whatever registrar your certs are with but it kept failing because I have not actively registered a zerossl account which seems to be required.

fraenki commented 3 years ago

I'll add new parameters to specify the CA and it will of course default to Let's Encrypt.

tykeal commented 3 years ago

I'll note that according to the help in acme.sh it's possible to pass the server as a CLI parameter, so maybe that would be the best way forward for all the calls that are generated by the module? Alternatively, if the default CA does get set then when doing CLI troubleshooting it would be easier ;)

fraenki commented 3 years ago

Thanks for the hint. That's how I've implemented it. Give me some time to test it before issueing a new release.

fraenki commented 3 years ago

Version 3.0.0 has just been release, it should fix this issue. In order to properly address this I had to introduce some backwards-incompatible changes, but I think this aligns with the recent changes in acme.sh and is acceptible with this regard.

Please let me know if you find any issues in the new release, I'm prepared to issue a hotfix.