-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trying to use ZeroSSL #536
Comments
Hi @marcovanbeek, thanks for reaching out. This guide on external account binding will probably help. But I'll try to explain here as well. Essentially, ACME orders are tied to a specific ACME account and the account is tied to a specific ACME server. So when you're switching providers from Let's Encrypt to ZeroSSL, you first have to create a new account which is where you specify the EAB credentials. Once you have that account setup, you create a new certificate/order with that account active. So effectively, the order of operations is: Set-PAServer ZEROSSL_PROD
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact 'me@example.com' -AcceptTOS
New-PACertificate example.com <etc>
Certificates on a domain/zone apex shouldn't require DNS validation unless you're trying to also get a wildcard cert for that apex. For non-wildcards, the HTTP challenge will work as long as the webserver(s) the apex points to can host the HTTP validation file. |
Hi, Yes, I tried all that, and I still get the error. I am going to wipe the existing data and try again, but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument? I'll let you know / post errors after I restart the process from scratch. BTW for 365 Hybrid connector you need a domain root certificate and you are never doing this from a server that maps back to the apex of the domain, as the Windows server is on-premises. You are basically linking an Active Directory system and Exchange server(s) with the AD in Azure and Exchange On-Line. Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS. |
Okay. so I deleted all my existing config and just did those three steps, and that worked. I compared the old and new config and the only major difference was the LE_PROD directory from my earlier tests, so I will have a play around to see if I can break it and let you know. |
It will use the active account on the active server unless either of the following are true.
So basically, it will always use the active account if none of those 3 parameters are specified.
Gotcha. Just wanted to make sure you weren't operating under false assumptions. DNS validation definitely sounds like the easier path forward. I actually prefer it, personally. |
Hi. I am trying to use ZeroSSL for a certificate because Microsoft do not seem to accept Let's Encrypt for Hybrid 365 connectors, and also, as they need to be root certificates, I have to use DNS validation. We have our own PowerDNS servers, and that part of it all works fine. I can create and renew a Let's Encrypt certificate just fine. The problem is I cannot see how you pass the external account details to the New-PACertificate command. I have entered the details using New-PAAccount, and switched to ZeroSSL using Set-PAServer, but I must be missing a step. There is nothing in the documentation that I can find that does anything different to what I have tried,
I can't see how the External Account Binding process links through to a particular certificate, so either it is supposed to use the current external account, and it isn't working, or I somehow need to state that I need to use a particular account, and that bit is missing from the docs (or I am being very stupid, and missing something very obvious to everyone else :-))
The text was updated successfully, but these errors were encountered: