Allow challenge to be empty for acme accounts with external account binding

Question

Allow challenge to be empty for acme accounts with external account binding

dansou901 opened this issue 2 years ago · 10 comments

SUMMARY

Private CAs like Sectigo, which use external account binding, don't require challenges. It should be possible to create certificates without challenges against these endpoints.

ISSUE TYPE

Feature Idea

COMPONENT NAME

community.crypto.acme_certificate

ADDITIONAL INFORMATION

For now, acme_certificate has to be run twice. First, the challenge has to be created, in the last step the challenge has to be verified. When running against ACME endpoints which require only external account binding, acme_certificate should be run only once. The external account binding data could be organized the same way as it is used in acme_account.

Answer 1 · 2023-05-31T14:55:27.000Z

Is there any way to test/reproduce this (without being a customer of Sectigo)?

Answer 2 · 2023-05-31T15:40:22.000Z

I'm afraid that's not possible, sorry. But I can test for you once you have something ready. The only way I can think of is another (open) provider which offers certificates without challenges with only eab, or you have to setup your own acme server to test against.

Answer 3 · 2023-06-01T19:47:27.000Z

Do I understand it correctly that you basically need a special value for the challenge module option, say no challenge, that tells the module to ignore the challenges, to not try to do the validate call for a challenge, but to simply wait for every authz to become valid?

(I don't want to change the way that acme_certificate needs to be called twice. The first call starts the order, the second call completes the order. Making the second call dependent on the specific challenge makes the UX of this module even worse than it already is IMO.)

Answer 4 · 2023-06-01T21:04:25.000Z

Yes, that's about it. Additionally to the no challenge option, we need to send eab credentials, like already implemented in the acme_account module. When we request certificates, we don't do challenges, but just provide the eab credentials. They are needed for registering the account as well as requesting certificates with the registered account.

Answer 5 · 2023-06-01T21:06:22.000Z

That the module needs to be called twice is fine, so the play can wait for the acme server issuing the certificate. That can take a while sometimes at Sectigo.

Answer 6 · 2023-06-02T05:15:37.000Z

EEB credentials are not needed for certificates, they are needed for setting up the account with acme_account (https://www.rfc-editor.org/rfc/rfc8555#section-7.3.4). Once the account is linked to the EEB credentials, you shouldn't need the EEB credentials again. EEB credentials aren't part of the order process (https://www.rfc-editor.org/rfc/rfc8555#section-7.4).

Answer 7 · 2023-06-02T11:32:23.000Z

Ok, maybe with the acme clients I used before registering the account was included in the step with issuing the certificates, so I never separated those steps. So it should be enough to just clear out the challenges. Thanks!

Answer 8 · 2023-06-04T16:52:44.000Z

I created a PR for this: #615

Could you please test it? Thanks!

Answer 9 · 2023-06-04T17:13:35.000Z

I will test this first thing tomorrow. Thanks for the quick reactions!

Answer 10 · 2023-06-05T14:06:15.000Z

Just tested and could successfully request a certificate with the "no challenge" option. PR can be merged now (as soon as CI is green of course). Thanks for the quick fix!