Feature #9833
open
ACME: add ability to use custom ACME server
0%
Description
Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:
https://smallstep.com/blog/private-acme-server/
I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory.
Is this feasible?
Best regards, Filippo
Updated by Michael Long over 1 year ago
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
Updated by Stanislav Dimov about 1 year ago
Michael Long wrote:
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
+1. Any progress on this?
Updated by Michael . about 1 year ago
Stanislav Dimov wrote:
+1. Any progress on this?
+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:
[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory@
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log
Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.
EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.
Updated by Krisjanis Morkans 4 months ago
+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.
Updated by Manny Tew about 2 months ago
+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.