search

vancluever / terraform-provider-acme

Terraform ACME provider
https://registry.terraform.io/providers/vancluever/acme/latest
Mozilla Public License 2.0
223 stars 73 forks source link

External Account Binding #93

Closed Sectigo-MarcW closed 3 years ago

Sectigo-MarcW commented 4 years ago

The request is to support ‘external account binding’ as specified in RFC8555 for ACME support in Terraform. This will enable enterprise customers to obtain certificates from CAs that implement this feature at the server side as they may have an existing account with them. Popular ACME clients, e.g., Certbot, have implemented this feature already.

If interested in completing this work under contract for NRE, please contact me at marc.williams@sectigo.com.

vancluever commented 4 years ago

Looks like it was implemented in lego in go-acme/lego#516. This message is to just validate support in lego.

@Sectigo-MarcW I'm assuming you need the following fields added to the acme_registration resource?

   --kid value                  Key identifier from External CA. Used for External Account Binding.
   --hmac value                 MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
Sectigo-MarcW commented 4 years ago

Thank you for the fast response, Chris. I’m going to add our Director of Product Management, Abul Salek, to the thread to confirm.

Best Regards,

Marc

From: Chris Marchesi notifications@github.com Sent: Friday, October 25, 2019 11:11 AM To: terraform-providers/terraform-provider-acme terraform-provider-acme@noreply.github.com Cc: Marc Williams marc.williams@sectigo.com; Mention mention@noreply.github.com Subject: Re: [terraform-providers/terraform-provider-acme] External Account Binding (#93)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Looks like it was implemented in lego in go-acme/lego#516 https://github.com/go-acme/lego/pull/516 . This message is to just validate support in lego.

@Sectigo-MarcW https://github.com/Sectigo-MarcW I'm assuming you need the following fields added to the acme_registration resource?

--kid value Key identifier from External CA. Used for External Account Binding. --hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/terraform-providers/terraform-provider-acme/issues/93?email_source=notifications&email_token=ANQHCESFYXBPOXXU5MMSJFLQQMZCRA5CNFSM4JFE75M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECJEFWY#issuecomment-546456283 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANQHCER2YTRY6ZYRUGKQFL3QQMZCRANCNFSM4JFE75MQ . https://github.com/notifications/beacon/ANQHCESO4LMCROH3WJCDGL3QQMZCRA5CNFSM4JFE75M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECJEFWY.gif

Sectigo-MarcW commented 4 years ago

Yes, those are the 2 parameters we need. Lego and Certbot implemented them.

Abul Salek Product Management

On Oct 25, 2019, at 2:13 PM, Marc Williams marc.williams@sectigo.com wrote:

 Thank you for the fast response, Chris. I’m going to add our Director of Product Management, Abul Salek, to the thread to confirm.

Best Regards, Marc

From: Chris Marchesi notifications@github.com Sent: Friday, October 25, 2019 11:11 AM To: terraform-providers/terraform-provider-acme terraform-provider-acme@noreply.github.com Cc: Marc Williams marc.williams@sectigo.com; Mention mention@noreply.github.com Subject: Re: [terraform-providers/terraform-provider-acme] External Account Binding (#93)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Looks like it was implemented in lego in go-acme/lego#516. This message is to just validate support in lego.

@Sectigo-MarcW I'm assuming you need the following fields added to the acme_registration resource?

--kid value Key identifier from External CA. Used for External Account Binding. --hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

vancluever commented 3 years ago

Closing this in favor of #116.

As I don't really have a way to test this since EAB is an option generally used by paid CAs, I will need someone to test any PR I create. I'll wait until I have someone that can do this before working to implement it.