xen-orchestra icon indicating copy to clipboard operation
xen-orchestra copied to clipboard

Published 20 hours ago verified publisher icon vatesfr

xo-server fix: Update acme-client npm and introduce support for External Account Binding (EAB)

Open MrGrymReaper opened this issue 6 months ago • 0 comments

Are you using XOA or XO from the sources?

XOA

Which release channel?

latest

Provide your commit number

No response

Describe the bug

The integration of acme-client allows for support of Let's Encrypt and other providers. However one of those other providers (ZeroSSL) has recently been requiring External Account Binding (EAB) of its users.

Without the support of EAB its unable to issue or renew certificates and attempts to do so result in an error in a log as well as an incomplete certificate.

https://zerossl.com/documentation/acme/

Error message

Jul 29 15:33:59 xoa xo-server[3893]: 2024-07-29T19:33:59.287Z xo:mixins:sslCertificate WARN couldn't renew ssl certificate {
Jul 29 15:33:59 xoa xo-server[3893]:   acmeDomain: 'www.mydomain.com',
Jul 29 15:33:59 xoa xo-server[3893]:   error: Error: The request must include a value for the "externalAccountBinding" field

To reproduce

  1. Deploy the latest master or XOA on latest update of the "Latest Channel"
  2. Configure and enable the Let's Encrypt (acme-client). For configuring the provider select "zerossl/production".
  3. Attempt to obtain or renew a certificate
  4. Check the log journal of the XOA looking for the above error

Expected behavior

The expected behaviour of the integration when using ZeroSSL is for it to be able to request or renew a TLS Certificate. Without any errors about External Account Binding details.

Screenshots

No response

Node

20.16.0

Hypervisor

XCP-ng 8.2.1

Additional context

This issue will hit all users of Xen Orchestra its integration of acme-client and the ZeroSSL Certificate Authority. The issue can be corrected by updating the acme-client npm to the version of 5.4.0 and introducing support in the configuration file and/or in the integration plugin support for specifying the EAB credentials.

The issue is related to the following post on the forums: https://xcp-ng.org/forum/topic/9433/xoa-letsencrpyt-module-not-setting-acmedomain/13

MrGrymReaper avatar Jul 30 '24 15:07 MrGrymReaper