EAB authorization support #26
Comments
|
Hi Chris, since ACMECert was initially designed for use with Let's Encrypt only I did not consider adding EAB support before. I have managed to add EAB support. You can find it in the "eab"-branch. You can use ZeroSSL by passing the link of the directory to the constructor: $ac=new ACMECert('https://acme.zerossl.com/v2/DV90');There is now a new function to register with EAB Credentials: function registerEAB($termsOfServiceAgreed=false,$eab_kid,$eab_hmac,$contacts=array())Let me know if it works for you and if you encounter any problems. Thanks! Stefan |
|
Hi That was fast! You have just implemented it or it was around for a while? :) I will run a few tested today (against all three CAs) and back to you. Chris |
|
I just implemented it. It wasn't very difficult, looking at the other projects, especially this commit. Thank you for testing! Looking forward to the results. |
|
Tested. Works like a charm! Now you can merge this branch with the master. As the result the lib now supports:
Superb! The big plus for ZeroSSL is support for ECC key. For our project having certificates with P-256 keys signed by CA with ECC result in a small file size (CA siganture is ECDSA). Big win for our embedded system, where the size matters ;) Chris |
|
Wonderful ! I'll also test it thoroughly and update the README. When this is done I'm going to merge it into master. |
|
During my testing, I ran into a few issues that have yet to be fixed before I feel comfortable to merge the changes into master. For example, when a challenge fails both Bypass and ZeroSSL do not immediately set the status of the authorization to "invalid". This leads ACMECert to run into a retry cycle until the maximum retries limit is reached. Another problem is that Bypass currently does not allow to deactivate a valid authorization. I have contacted Bypass and they have identified the bug and plan to deploy the fix to production. |
1 or both of these issues seems to have been fixed by BuyPass as stated in their response on your complain in their forum. Also am trying to figure out what
Of course it would have been easier for me had there been comments in the class methods |
|
Yes! Buypass fixed the problem! The other problem (where ACMECert runs into a retry cycle until the maximum retries limit is reached) I can solve by changing the code a little bit. So Bypass is then hopefully usable. On the other hand for ZeroSSL I found no way to detect a failed challenge (so the problem remains there). I have also contacted ZeroSSL, but have not yet got a response..still waiting..
If ZeroSSL gets usable i'll document the registerEAB function as well. |
|
Hi Did you get an answer from ZeroSSL? Are they responding? I have two issues (one is similar to yours):
In both cases, the DV challenge has been done properly. ZeroSSL is a partner of Sectigo, so both issues (504 and no reply code for a /order) can be combined as a backend to Sectigo is failing. Just guessing :) Chris |
|
Hi! Unfortunately I did not get a response from ZeroSSL. However from what I found out is that ZeroSSL seems to retry failed challenges on its own (without the client requesting the verification). That's why the corresponding authorizations are not put immediately into "invalid"-state once failed, like Let's Encrypt does. Instead they are stuck in "pending"-state. So I guess the only way to handle this scenario is to somewhow monitor the authorizations and then get the certificate when they all are in "valid"-state at a later point in time. Since this is not how ACMECert works (the orders/challenges/authorizations are not even stored anywhere) I see no possibility to fix this issue. I also tried it with acme.sh, which is officially supported -> https://zerossl.com/features/acme/#clients Same thing here: I think I give up trying to support ZeroSSL in ACMECert for now :( During my testing I also got a lot of 5xx response codes. Seems "normal" with ZeroSSL xD |
|
I have emailed them a few minutes ago. Will try to reach them on LinkedIn as well. IMHO it is an issue between ZeroSSL and Sectigo. The cert that reached reply timeout got issued! It is visible in the official Dashboard. The 504 is another case - reverse proxy overloaded? I'm using DNS-TXT validation where the DNS server is handled by 3rd party, with no chance to monitor the fact the bot has performed the query. WIll see how it develops. |
|
Hi Stefan, " Thank you for reaching out. Best regards, So it looks like it will take some time :) However, the EAB integration is correct, works most of the time :) I will do more test with anouther player: https://www.ssl.com/how-to/order-free-90-day-ssl-tls-certificates-with-acme/ |
Hi Stefan
Have you been thinking about adding EAB authorization to the lib? ZeroSSL is a new kid on the block but requires EAB support. BuyPASS works out of the box (only CA's URL need to be added). Look at the acme.sh or ACMEphp projects for details on how it works.
ZeroSSL is a very interesting CA as there are almost no rate limits.
Chris
The text was updated successfully, but these errors were encountered: