-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable EAB for ACME CA Handler #166
Comments
Slightly off topic but does self-hosted smallstep not already have EAB? https://smallstep.com/blog/acme-eab-overview/ |
No, they paywalled it. Edit: They had a comment in issue 897 in smallstep/certificates (didn't paste link so that github won't reference & link) |
I pushed an updated handler into the devel branch. Test-workflows are not updated yet but feel free to give it a try. I also included some configuration instructions hoping they would be helpful to you. |
hi again, unfortunately the profiling feature did not work as expected due to some variable names. Fix is included in 78e1e0a. Please use the updated handler and try again |
Thanks for the ultra fast turnaround! I tested the latest Here smallstep (upstream CA) is on port 8443 and acme2certifier is on 9443 and 80, acme.sh with port 443 and using tls-alpn challenge log:
|
There is an "400 - error message" coming from Smallstep. But this does not necessarily mean that we are behaving correctly. Does this problem also occur without eab-profiling feature enabled? |
Just to keep you updated: I am able to replicate the issue in my setup. Here is a quick summary what happens. It seems you do not have the Hard to say who is behaving wrong here. Good news is that I have a workaround in mind. Further error handling for such situations needs to be improved. So stay tuned… |
Hi, I pushed an updated handler into the devel branch. Feel free to give it a try but:
acme_keyfile: acme_srv/acme/smallstep.json
acme_url: https://192.168.14.131:9000/acme/acme
acme_account_email: admin@foobar.local
account_path: /
ssl_verify: False
|
Thanks so much for the fix! I will try it out as soon as I get time, life was kind of getting in the way of my tinkering. I will post my results here once I get them! |
Feature made it into v0.35. Thus, closing this issue. In case you have comments feel free to reopen... |
Is it possible to add EAB profiling to the ACME CA handler?
Personally I am using a self hosted Smallstep CA in my LAN and I wish to use this project in front of it to add EAB support. Apart from my use case, this should also be handy to be able to use different CAs based on the EAB profile. For example,
key_01
to Let's Encrypt with only domain1.com allowed andkey_02
to ZeroSSL for the rest.Thanks for the amazing project!
The text was updated successfully, but these errors were encountered: