Closed strophy closed 3 years ago
It's not yet possible to specify externalAccountBinding, but if you are willing to test I will implement it. It's not too difficult. Let me know
Hi, I have since verified ZeroSSL does not support RFC 8738, and probably won't until their upstream CA (Sectigo) implements it. Either way, supporting externalAccountBinding
would be a cool feature for uacme and I would be happy to test this against ZeroSSL.
Ok. It would help a lot if you could confirm that the credentals for the account binding provided by ZeroSSL looks similar to the following:
"eab_kid": "GD-VvWydSVFuss_GhBwYQQ", "eab_hmac_key": "MjXU3MH-Z0WQ7piMAnVsCpD1shgMiWx6ggPWiTmydgUaj7dWWWfQfA"
EAB KID is the same, 22 chars of case-sensitive alphanumeric with underscore and hyphen allowed. EAB HMAC Key looks different, it is 86 chars long, case-sensitive alphanumeric with underscore and hyphen allowed
@strophy
Please try the new command line option -e KID:KEY (separate the two strings with a colon, do not include quotes). Let me know if it works so I can make a new release.
Thanks, looks like it is working fine. I cloned the repo and built from master
, output is as follows (with KID:KEY redacted):
strophy@X250:~/Code/uacme-cert$ uacme -a https://acme.zerossl.com/v2/DV90 -v -c . new
uacme: version 1.5-dev starting on Sat, 05 Dec 2020 14:50:26 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: This ACME server requires external credentials. Please supply them with -e KEYID:KEY
strophy@X250:~/Code/uacme-cert$ uacme -a https://acme.zerossl.com/v2/DV90 -v -e <KEYID>:<KEY> -c . new
uacme: version 1.5-dev starting on Sat, 05 Dec 2020 14:51:34 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: type 'y' to accept the terms at https://secure.trust-provider.com/repository/docs/Legacy/20181101_CertificateSubscriberAgreement_v_2_1_click.html
y
uacme: account created at https://acme.zerossl.com/v2/DV90/account/<KEYID>
strophy@X250:~/Code/uacme-cert$
Thanks for adding this feature!
Thanks for adding this feature!
You're welcome. It's now released in 1.6. It will shortly be pushed to debian too.
Hi, this is probably two issues in one ;) I need to automate certificate installation for a large network of decentralized clients with static IP addresses but no domain. I came across RFC 8738, I believe uacme is one of the first ACME clients to support this new standard? Let's Encrypt doesn't support it yet (it's in pebble but not boulder), which CA did you test against?
For now I'm trying to use it with ZeroSSL, which supports ACME and IP certificates, but I'm getting the following authentication error (probably unrelated to RFC 8738):
Is it possible to specify an
externalAccountBinding
with uacme? Thanks for thoughts on these issues!