Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Status of EAB support? #790

Open
pbhenson opened this issue Jan 17, 2023 · 4 comments
Open

Status of EAB support? #790

pbhenson opened this issue Jan 17, 2023 · 4 comments

Comments

@pbhenson
Copy link
Contributor

I’d like to use getssl with the Incommon (Sectigo) certificate service. This requires EAB support. I found a merged pull request that seems to include the framework for EAB:

#704

But I don’t see in mentioned anywhere in the documentation or examples. Is it possible at this point to configure against a CA using EAB?

If not, would it be possible to use a different client to do the initial EAB handshake, and then transfer the resultant authorized key to getssl? I think the EAB process just occurs once at initial client auth and from then on it’s just typical acme? Other than not needing an auth for every issue, but that should be easily worked around with a no-op dns plug-in.

Thanks…
@pbhenson
Copy link
Contributor Author

Well, to answer my own question; I used certbot to process the EAB and then transferred the resultant key to getssl and it's now happily managing certificates via Incommon. The only annoying part was converting the key from jwk format as created by certbot into pem format as required by getssl. There seems to be a dearth of convenient tools for that. I ended up finding a python script named lokey that did it but required python 2.7.

I configured the validation section like:

VALIDATE_VIA_DNS="true"
DNS_ADD_COMMAND=/usr/bin/true
DNS_DEL_COMMAND=/usr/bin/true

although I think only the first one was necessary, it never even tries to run the other two.

@alanthird
Copy link

With the news that Google are planning on only accepting certificates with 90 days validity, I might need this functionality for Digicert's ACME service sooner rather than later.

@alanthird
Copy link

alanthird commented Sep 14, 2023
edited
Loading

I've made some changes at alanthird@2563943, but I can't get it working with Digicert. I think the problem is to do with Digicert's order and validity stuff, not with my changes, so it might be of use to someone else.

(It logs in and appears to validate the domains, but won't actually give me a certificate, saying the order is "pending".)

The configuration would look something like:

VALIDATE_VIA_EAB="true"
EAB_KID="your EAB KID"
EAB_HMAC="your EAB HMAC"

@Coachonko
Copy link

I am also waiting for EAB support. Will be following this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pbhenson @alanthird @Coachonko