getssl icon indicating copy to clipboard operation
getssl copied to clipboard

Published 20 hours ago verified publisher icon srvrco

Status of EAB support?

Open pbhenson opened this issue 2 years ago • 4 comments

I’d like to use getssl with the Incommon (Sectigo) certificate service. This requires EAB support. I found a merged pull request that seems to include the framework for EAB:

https://github.com/srvrco/getssl/pull/704

But I don’t see in mentioned anywhere in the documentation or examples. Is it possible at this point to configure against a CA using EAB?

If not, would it be possible to use a different client to do the initial EAB handshake, and then transfer the resultant authorized key to getssl? I think the EAB process just occurs once at initial client auth and from then on it’s just typical acme? Other than not needing an auth for every issue, but that should be easily worked around with a no-op dns plug-in.

Thanks…

pbhenson avatar Jan 17 '23 06:01 pbhenson

Well, to answer my own question; I used certbot to process the EAB and then transferred the resultant key to getssl and it's now happily managing certificates via Incommon. The only annoying part was converting the key from jwk format as created by certbot into pem format as required by getssl. There seems to be a dearth of convenient tools for that. I ended up finding a python script named lokey that did it but required python 2.7.

I configured the validation section like:

VALIDATE_VIA_DNS="true" DNS_ADD_COMMAND=/usr/bin/true DNS_DEL_COMMAND=/usr/bin/true

although I think only the first one was necessary, it never even tries to run the other two.

pbhenson avatar Jan 25 '23 04:01 pbhenson

With the news that Google are planning on only accepting certificates with 90 days validity, I might need this functionality for Digicert's ACME service sooner rather than later.

alanthird avatar Sep 08 '23 13:09 alanthird

I've made some changes at https://github.com/alanthird/getssl/commit/2563943bf963622285676d6a14168397d3d48831, but I can't get it working with Digicert. I think the problem is to do with Digicert's order and validity stuff, not with my changes, so it might be of use to someone else.

(It logs in and appears to validate the domains, but won't actually give me a certificate, saying the order is "pending".)

The configuration would look something like:

VALIDATE_VIA_EAB="true" EAB_KID="your EAB KID" EAB_HMAC="your EAB HMAC"

alanthird avatar Sep 14 '23 13:09 alanthird

I am also waiting for EAB support. Will be following this issue

einar-hjortdal avatar Oct 25 '23 04:10 einar-hjortdal