Project

General

Profile

Actions
Copy link

Bug #16862

open

ACME-EAB credentials not available during certificate issuance

Added by Lars Weber 3 days ago. Updated 3 days ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.8.1
Affected Plus Version:
Affected Architecture:

Description

Issue 16623 added the option to use ACME-providers that require EAB credentials like Actalis. Registering the account succeeds, however, issuing a certificate fails with "external account binding required", even though the credentials are set in pfSense.

The reason for this seems to be, that during registration, acme.sh creates the file ca.conf in /tmp/acme/_registerkey/$ca. Issuance of the actual certificate however occurs in a different directory named after the certificate name. In this directory, ca.conf is missing and therefore acme.sh does not have access to these credentials. To fix this, pfSense would need to create the ca.conf-File in the actual certificate directory with the credentials. It already does this with the account key, and the ca.conf file needs to be put right next to it.

I have already fixed this on my end, and will create a pull request directly after submitting this ticket.

Actions
Copy link
 #1

Updated by Lars Weber 3 days ago

Lars Weber wrote:

Issue 16623 added the option to use ACME-providers that require EAB credentials like Actalis. Registering the account succeeds, however, issuing a certificate fails with "external account binding required", even though the credentials are set in pfSense.

The reason for this seems to be, that during registration, acme.sh creates the file ca.conf in /tmp/acme/_registerkey/$ca. Issuance of the actual certificate however occurs in a different directory named after the certificate name. In this directory, ca.conf is missing and therefore acme.sh does not have access to these credentials. To fix this, pfSense would need to create the ca.conf-File in the actual certificate directory with the credentials. It already does this with the account key, and the ca.conf file needs to be put right next to it.

I have already fixed this on my end, and will create a pull request directly after submitting this ticket.

The referencing GitHub pull request: https://github.com/pfsense/FreeBSD-ports/pull/1447

Actions
Copy link

Also available in: Atom PDF