Trying to use ZeroSSL #536
Comments
|
Hi @marcovanbeek, thanks for reaching out. This guide on external account binding will probably help. But I'll try to explain here as well. Essentially, ACME orders are tied to a specific ACME account and the account is tied to a specific ACME server. So when you're switching providers from Let's Encrypt to ZeroSSL, you first have to create a new account which is where you specify the EAB credentials. Once you have that account setup, you create a new certificate/order with that account active. So effectively, the order of operations is: Set-PAServer ZEROSSL_PROD
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact 'me@example.com' -AcceptTOS
New-PACertificate example.com <etc>
Certificates on a domain/zone apex shouldn't require DNS validation unless you're trying to also get a wildcard cert for that apex. For non-wildcards, the HTTP challenge will work as long as the webserver(s) the apex points to can host the HTTP validation file. |
|
Hi, Yes, I tried all that, and I still get the error. I am going to wipe the existing data and try again, but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument? I'll let you know / post errors after I restart the process from scratch. BTW for 365 Hybrid connector you need a domain root certificate and you are never doing this from a server that maps back to the apex of the domain, as the Windows server is on-premises. You are basically linking an Active Directory system and Exchange server(s) with the AD in Azure and Exchange On-Line. Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS. |
|
Okay. so I deleted all my existing config and just did those three steps, and that worked. I compared the old and new config and the only major difference was the LE_PROD directory from my earlier tests, so I will have a play around to see if I can break it and let you know. |
It will use the active account on the active server unless either of the following are true.
So basically, it will always use the active account if none of those 3 parameters are specified.
Gotcha. Just wanted to make sure you weren't operating under false assumptions. DNS validation definitely sounds like the easier path forward. I actually prefer it, personally. |
Hi. I am trying to use ZeroSSL for a certificate because Microsoft do not seem to accept Let's Encrypt for Hybrid 365 connectors, and also, as they need to be root certificates, I have to use DNS validation. We have our own PowerDNS servers, and that part of it all works fine. I can create and renew a Let's Encrypt certificate just fine. The problem is I cannot see how you pass the external account details to the New-PACertificate command. I have entered the details using New-PAAccount, and switched to ZeroSSL using Set-PAServer, but I must be missing a step. There is nothing in the documentation that I can find that does anything different to what I have tried,
I can't see how the External Account Binding process links through to a particular certificate, so either it is supposed to use the current external account, and it isn't working, or I somehow need to state that I need to use a particular account, and that bit is missing from the docs (or I am being very stupid, and missing something very obvious to everyone else :-))
The text was updated successfully, but these errors were encountered: