Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme.sh now defaults to zerossl #33

Closed
tykeal opened this issue Jun 29, 2021 · 6 comments
Closed

acme.sh now defaults to zerossl #33

tykeal opened this issue Jun 29, 2021 · 6 comments
Assignees
@fraenki
Labels
enhancement

Comments

@tykeal
Copy link

tykeal commented Jun 29, 2021

New versions of acme.sh now default to zerossl which fails, especially if you've been using LetsEncrypt for a while.

It would be good to add configuration to the module to allow selecting of the different CAs. Right now the only option is 'production' or 'staging' and that assumes an LE CA. However, acme.sh now has support for several different servers other than just LE.

See: https://github.com/acmesh-official/acme.sh/wiki/Server

I had to go force my default ca on my account configs to get around this after doing an upgrade!
@fraenki fraenki self-assigned this Jul 2, 2021
@oxc
Copy link
Contributor

oxc commented Jul 6, 2021

@tykeal, could you describe the steps you took to force the default CA?

@tykeal
Copy link
Author

tykeal commented Jul 6, 2021

@oxc, I ended up having to do the following on my puppet controller:

sudo -i
cd /opt/acme.sh
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh

I also needed to do

./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_production.conf
./acme.sh --set-default-ca --server letsencrypt --home /etc/acme.sh --accountconf /etc/acme.sh/accounts/<registered_email>/account_staging.conf

The first one just fixes it for any new registered accounts. It didn't fix it for the already registered accounts.

I'll note I discovered this because of some upgrades I was doing and it caused my acme.sh install to get fully updated to latest. It then tried to use zerossl even though according to the documentation it's supposed to use whatever registrar your certs are with but it kept failing because I have not actively registered a zerossl account which seems to be required.

@wwkimball wwkimball mentioned this issue Jul 8, 2021
Merged
@fraenki
Copy link
Member

fraenki commented Jul 8, 2021

I'll add new parameters to specify the CA and it will of course default to Let's Encrypt.

@tykeal
Copy link
Author

tykeal commented Jul 8, 2021

I'll note that according to the help in acme.sh it's possible to pass the server as a CLI parameter, so maybe that would be the best way forward for all the calls that are generated by the module? Alternatively, if the default CA does get set then when doing CLI troubleshooting it would be easier ;)

@fraenki
Copy link
Member

fraenki commented Jul 8, 2021

Thanks for the hint. That's how I've implemented it. Give me some time to test it before issueing a new release.

@fraenki
Copy link
Member

fraenki commented Jul 8, 2021
edited

Version 3.0.0 has just been release, it should fix this issue. In order to properly address this I had to introduce some backwards-incompatible changes, but I think this aligns with the recent changes in acme.sh and is acceptible with this regard.

Please let me know if you find any issues in the new release, I'm prepared to issue a hotfix.

@fraenki fraenki closed this as completed Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fraenki fraenki

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fraenki @tykeal @oxc