Project

General

Profile

Actions

Feature #9833

open

ACME: add ability to use custom ACME server

Added by Filippo Tessarotto over 3 years ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
10/18/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:

https://smallstep.com/blog/private-acme-server/

I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory.

Is this feasible?

Best regards, Filippo

Actions #1

Updated by Michael Long almost 3 years ago

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

Actions #2

Updated by Stanislav Dimov about 2 years ago

Michael Long wrote:

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

+1. Any progress on this?

Actions #3

Updated by Michael . about 2 years ago

Stanislav Dimov wrote:

+1. Any progress on this?

+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:

[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/
@@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log

Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.

EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.

Actions #4

Updated by Krisjanis Morkans over 1 year ago

+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.

Actions #5

Updated by Manny Tew about 1 year ago

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Actions #6

Updated by Manny Tew 11 months ago

Manny Tew wrote in #note-5:

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Just leaving a note, since I noticed recent update to ACME.

Actions #7

Updated by David Kemp 11 months ago

+1 for this as well.
Just started looking into sorting out the self-signed cert and thought there would be a better way to run an internal CA.
Would be great to be able to use step-ca with pfSense.

Actions #8

Updated by Connor McBrine-Ellis 10 months ago

+1 for this! Just set up step-ca and would love having this functionality too.

Actions #9

Updated by Carsten Kragelund 3 months ago

+1 for this.
Using hacky scripts to add my domain to config files is not a suitable solution

Actions #10

Updated by Karl Ribich 3 months ago

+1, we have completed a rollout of step-ca to our enterprise and would really appreciate this feature as well.
This would also apply to EJBCA Enterprise customers as well as they have also introduced ACME support.
https://download.primekey.com/docs/EJBCA-Enterprise/7_2_0/ACME.html

Actions #11

Updated by Jeremy Schoonover 2 months ago

Another +1. Just got Step CA installed, and it's really great. Right now I'm just creating CSR's and creating certs that way for PFSense, but the ACME integration would be fantastic.

Actions

Also available in: Atom PDF