RFC 8738 support / externalAccountBinding problem with ZeroSSL API?

[strophy]

Hi, this is probably two issues in one ;) I need to automate certificate installation for a large network of decentralized clients with static IP addresses but no domain. I came across RFC 8738, I believe uacme is one of the first ACME clients to support this new standard? Let's Encrypt doesn't support it yet (it's in pebble but not boulder), which CA did you test against?

For now I'm trying to use it with ZeroSSL, which supports ACME and IP certificates, but I'm getting the following authentication error (probably unrelated to RFC 8738):

uacme: version 1.5 starting on Sun, 29 Nov 2020 18:11:04 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: type 'y' to accept the terms at https://secure.trust-provider.com/repository/docs/Legacy/20181101_CertificateSubscriberAgreement_v_2_1_click.html
y
uacme: failed to create account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: the server reported the following error:
{
    "type": "urn:ietf:params:acme:error:externalAccountRequired",
    "status": 400,
    "detail": "The request must include a value for the \"externalAccountBinding\" field"
}

Is it possible to specify an externalAccountBinding with uacme? Thanks for thoughts on these issues!

[ndilieto]

It's not yet possible to specify externalAccountBinding, but if you are willing to test I will implement it. It's not too difficult. Let me know

[strophy]

Hi, I have since verified ZeroSSL does not support RFC 8738, and probably won't until their upstream CA (Sectigo) implements it. Either way, supporting externalAccountBinding would be a cool feature for uacme and I would be happy to test this against ZeroSSL.

[ndilieto]

Ok. It would help a lot if you could confirm that the credentals for the account binding provided by ZeroSSL looks similar to the following:

"eab_kid": "GD-VvWydSVFuss_GhBwYQQ", "eab_hmac_key": "MjXU3MH-Z0WQ7piMAnVsCpD1shgMiWx6ggPWiTmydgUaj7dWWWfQfA"

[strophy]

EAB KID is the same, 22 chars of case-sensitive alphanumeric with underscore and hyphen allowed. EAB HMAC Key looks different, it is 86 chars long, case-sensitive alphanumeric with underscore and hyphen allowed

[ndilieto]

@strophy

Please try the new command line option -e KID:KEY (separate the two strings with a colon, do not include quotes). Let me know if it works so I can make a new release.

[strophy]

Thanks, looks like it is working fine. I cloned the repo and built from master, output is as follows (with KID:KEY redacted):

strophy@X250:~/Code/uacme-cert$ uacme -a https://acme.zerossl.com/v2/DV90 -v -c . new
uacme: version 1.5-dev starting on Sat, 05 Dec 2020 14:50:26 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: This ACME server requires external credentials. Please supply them with -e KEYID:KEY
strophy@X250:~/Code/uacme-cert$ uacme -a https://acme.zerossl.com/v2/DV90 -v -e <KEYID>:<KEY> -c . new
uacme: version 1.5-dev starting on Sat, 05 Dec 2020 14:51:34 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: type 'y' to accept the terms at https://secure.trust-provider.com/repository/docs/Legacy/20181101_CertificateSubscriberAgreement_v_2_1_click.html
y
uacme: account created at https://acme.zerossl.com/v2/DV90/account/<KEYID>
strophy@X250:~/Code/uacme-cert$

Thanks for adding this feature!

[ndilieto]

Thanks for adding this feature!

You're welcome. It's now released in 1.6. It will shortly be pushed to debian too.

https://github.com/ndilieto/uacme/releases/tag/upstream/1.6