-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status of EAB support? #790
Comments
Well, to answer my own question; I used certbot to process the EAB and then transferred the resultant key to getssl and it's now happily managing certificates via Incommon. The only annoying part was converting the key from jwk format as created by certbot into pem format as required by getssl. There seems to be a dearth of convenient tools for that. I ended up finding a python script named lokey that did it but required python 2.7. I configured the validation section like: VALIDATE_VIA_DNS="true" although I think only the first one was necessary, it never even tries to run the other two. |
With the news that Google are planning on only accepting certificates with 90 days validity, I might need this functionality for Digicert's ACME service sooner rather than later. |
I've made some changes at alanthird@2563943, but I can't get it working with Digicert. I think the problem is to do with Digicert's order and validity stuff, not with my changes, so it might be of use to someone else. (It logs in and appears to validate the domains, but won't actually give me a certificate, saying the order is "pending".) The configuration would look something like: VALIDATE_VIA_EAB="true" |
I am also waiting for EAB support. Will be following this issue |
I’d like to use getssl with the Incommon (Sectigo) certificate service. This requires EAB support. I found a merged pull request that seems to include the framework for EAB:
#704
But I don’t see in mentioned anywhere in the documentation or examples. Is it possible at this point to configure against a CA using EAB?
If not, would it be possible to use a different client to do the initial EAB handshake, and then transfer the resultant authorized key to getssl? I think the EAB process just occurs once at initial client auth and from then on it’s just typical acme? Other than not needing an auth for every issue, but that should be easily worked around with a no-op dns plug-in.
Thanks…
The text was updated successfully, but these errors were encountered: