nabsul/kcert

Does this work as ACME client only for Let's Encrypt or other CA's are/will be supported?

Closed this issue · 6 comments

Was wondering if I can configure to use KCert for ZeroSSL using External Account Binding. Would be amazing if it can be!

KCert doesn't support external account binding right now, but I read quickly through the docs and it doesn't look too hard to do.

No promises on when, but I'll try.

I haven't written much .NET code except for almost a decade ago in college, but if you can point to where you think this can be plugged in, I might try giving a shot.

Unfortunately the reason why I was looking to use EAB was to to be able to use ZeroSSL, but its seeing some major outage at the moment and failing to register account and issue certificate with using ACME, and Let's Encrypt doesn't have EAB support so would be difficult to test the feature out even after writing it up.

But I'd think it'd be a good addition to KCert feature set, so worth spending some time to it.

If you're interested in the learning experience, I'll wait for you to take a first try at implementing this. I'd be happy to answer questions and review pull requests. If I'm understanding this correctly, it's should just be an edit to the NewAccount request:

image

The payload is just an anonymous object defined here:

var payloadObject = new { contact, termsOfServiceAgreed = termsAccepted };

You should be able to insert a conditional there that either creates the current body object, or one that includes the EAB stuff.

To turn EAB on/off I think you just need to add two environment variables in the Acme section for the EAB key and kid. You would then set those through environment variables like ACME__EABKEY (with two underscores).

Probably the most time consuming part of this will be testing :-D

Just let me know if you're not interested in making the change yourself (which is totally fine!). It shouldn't take me too long to follow this plan.

Its a saturday evening I'll be more than happy to dabble some right away. Aside from learning experience I think its a genuinely good addition to KCert. I'll try and raise a PR ASAP so you can review in your own time (as of now I have reverted back to using cert-manager for my project).
I am not sure how to test this right now, maybe when ZeroSSL outage is fixed it possible can be sorted (though some work around looking around in cert-manager issue section seems to suggest that longer timeouts seem to mitigate it to some extent).

nabsul commented

This is being implemented in #100