Bug #16862
open
ACME-EAB credentials not available during certificate issuance
Added by Lars Weber 3 days ago.
Updated 3 days ago.
Description
Issue 16623 added the option to use ACME-providers that require EAB credentials like Actalis. Registering the account succeeds, however, issuing a certificate fails with "external account binding required", even though the credentials are set in pfSense.
The reason for this seems to be, that during registration, acme.sh creates the file ca.conf in /tmp/acme/_registerkey/$ca. Issuance of the actual certificate however occurs in a different directory named after the certificate name. In this directory, ca.conf is missing and therefore acme.sh does not have access to these credentials. To fix this, pfSense would need to create the ca.conf-File in the actual certificate directory with the credentials. It already does this with the account key, and the ca.conf file needs to be put right next to it.
I have already fixed this on my end, and will create a pull request directly after submitting this ticket.
Lars Weber wrote:
Issue 16623 added the option to use ACME-providers that require EAB credentials like Actalis. Registering the account succeeds, however, issuing a certificate fails with "external account binding required", even though the credentials are set in pfSense.
The reason for this seems to be, that during registration, acme.sh creates the file ca.conf in /tmp/acme/_registerkey/$ca. Issuance of the actual certificate however occurs in a different directory named after the certificate name. In this directory, ca.conf is missing and therefore acme.sh does not have access to these credentials. To fix this, pfSense would need to create the ca.conf-File in the actual certificate directory with the credentials. It already does this with the account key, and the ca.conf file needs to be put right next to it.
I have already fixed this on my end, and will create a pull request directly after submitting this ticket.
The referencing GitHub pull request: https://github.com/pfsense/FreeBSD-ports/pull/1447
Also available in: Atom
PDF
Updated by