caddy
caddy copied to clipboard
caddyserver
Implement ZeroSSL API
Right now, the ZeroSSL issuer only uses the ZeroSSL API to generate EAB for a user's email address. Then it proceeds to use ACME.
This is useful for most people with free accounts, but those with paid accounts won't be able to reap the benefits of their higher limits, etc (because ZeroSSL's software stack is more flexible when using the API). Paid users need to use the API to be able to access all the features they're paying for.
Should be pretty simple to implement: https://zerossl.com/documentation/api/
It will need to be opt-in, as simply providing an API key can be done by free account users as well, and if we use the API for them we'd quickly break their deployments if they're not prepared to pay for the API. So maybe a bool option to toggle on the use of the API.
Anyone can take this up, or I will get around to it soon (working through a backlog to start the year!)
I am currently working on this and have a question. Are we looking to implement all the api endpoints provided by zerossl or just the equivalent ones to what we currently have with ACME?
Hi, thanks @armadi1809 for working on this. I think this just became more urgent, as ZeroSSL deployed a update to their ACME endpoints with way stricter rate limits last week:
We are working on a premium ACME endpoint without these limitations, but to maintain service quality we had to introduce a temporary limit for the time being. This will be lifted as we implement other improvements on our side.
Also, regarding lifting the levels for paying customers, they said:
At the moment - we cannot adjust it on an individual level. We are deploying a couple of changes in the next few weeks to combat spam and abuse which should allow us to raise it.
@mholt I'm using certmagic, without caddy. Do you think the ZeroSSL API could also be implemented in certmagic / does it make sense? Or would the solution be me copying the ZeroSSL Issuer to my codebase?
I'll circle back to this this week if not today; and I'll see if this can go in certmagic.
@mholt thanks! Would sth like this work out for certmagic? This is the zerosslissuer from the linked PR, with the caddy-stuff removed:
https://gist.github.com/aplr/1e251650f1c452f12ab98460e5ccadc1
Initial implementation here: https://github.com/caddyserver/zerossl
Has some bugs, but currently in contact with ZeroSSL to get those worked out.
@mholt thanks! I've also jumped into the rabbit hole today. I've found it's a massive endeavour to make this work with on-demand issue & renew, and adding DNS & HTTP solvers. It's essentially re-implementing your whole mholt/acmez package, but with the ZeroSSL API, as well as the adapters in certmagic, am I right with that?
@aplr Hmm, that doesn't sound quite right. Any Issuer can be used for On-Demand TLS; but the DNS & HTTP "solvers" are concepts related to ACME, which the ZeroSSL API is an alternative to.
I imagine the integration into CertMagic will be fairly straightforward, maybe could benefit from some refactoring; but then the integration into Caddy should be even easier.
Ok, I see. I guess it blew up as I wrote it outside of certmagic, and I had to copy lots of private structs & functions, which is of course not the case when integrating it into certmagic. But yes, I agree, with the right abstraction lots of code might be reusable, as it's the same concepts.
Is there any update or timeline for integrating the zerossl REST Api to Caddy?
I have it working but both myself and my contact at ZeroSSL have been traveling so I'm hoping to finish it up soon. There's one remaining question I am working through.
Could you bring up IPv6 subject names with your contact at zerossl? I've not been able to get past their frontline support agents.
