do-know/Crypt-LE

RFE: support other ACME-based CAs

Yenya opened this issue · 3 comments

Yenya commented

Hello,

I tried to use CAs that support the ACME protocol (other than Let's Encrypt itself), but none of them worked. It might be worth looking at.

I used the list of API endpoints from https://github.com/acmesh-official/acme.sh/wiki/Server using the following command:

FQDN=my.server.name
SERVER=... # API endpoint, see below
LE_DIR=/etc/pki/le
/usr/local/bin/le.pl --email yenya@my.dom.ain --key $LE_DIR/account.key \
        --csr $LE_DIR/$FQDN.csr \
        --crt $LE_DIR/$FQDN.crt \
        --path /var/www/html/.well-known/acme-challenge \
        --directory $SERVER \
        --unlink \
        --renew 300 --live

EDIT: never mind the following, I have just discovered the --directory option: One problem is that le.pl adds a /directory suffix after the --server parameter, but not all CAs have this. Maybe the meaning of this argument should be changed to get the directory listing directly from the given URL? If backwards compatibility is a problem, a new argument should be added (say, --endpoint).

Thanks,

-Yenya

Yenya commented

OK, it seems there is already a pull request #66 for it.

do-know commented

Basic EAB support has been actually added a while ago, but was never fully completed and pushed. This should be now available on the 'beta' branch, and should be released soon. This has been tested with Let's Encrypt, ZeroSSL and Buypass. I haven't tested that with Google or SSL.com, but those should also be directly supported now. Some examples:

  1. Use ZeroSSL, providing the server parameter explicitly (to be deprecated), and providing eab-kid and eab-hmac-key:

le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --server https://acme.zerossl.com/v2/DV90 --eab-kid ... --eab-hmac-key ... --key my.key

  1. Use ZeroSSL, providing the directory parameter explicitly, and providing eab-kid and eab-hmac-key:

le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --directory https://acme.zerossl.com/v2/DV90/directory --eab-kid ... --eab-hmac-key ... --key my.key

  1. Use ZeroSSL, providing the ca parameter, and providing eab-kid and eab-hmac-key:

le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca zerossl.com --eab-kid ... --eab-hmac-key ... --key my.key --live

(notice the --live parameter in this case - that is because there is no staging environment, so running the command without --live would produce an error "CA does not support staging environment, please specify 'live' explicitly.")

  1. Use Buypass.com (staging environment):

le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca buypass.com --key my.key --email "admin@domain.tld"

(notice that email parameter is mandatory for this CA, and without it you would get an error "Email is a required contact")

  1. Use Buypass.com (production environment):

le.pl --csr domain.csr --csr-key domain.key --domains "some.domain.tld" --crt domain.crt --generate-missing --ca buypass.com --key my.key --email "admin@domain.tld" --live

(notice that email parameter is mandatory for this CA, and without it you would get an error "Email is a required contact")

The CAs which are directly supported by name are currently these: buypass.com, google.com, letsencrypt.org, ssl.com, zerossl.com.

do-know commented

Pushed v0.39 with the EAB support and direct support of known ACME-compatible CAs by name.