Project

General

Profile

Actions

Feature #9833

open

ACME: add ability to use custom ACME server

Added by Filippo Tessarotto over 4 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
10/18/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:

https://smallstep.com/blog/private-acme-server/

I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory.

Is this feasible?

Best regards, Filippo

Actions #1

Updated by Michael Long almost 4 years ago

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

Actions #2

Updated by Stanislav Dimov over 3 years ago

Michael Long wrote:

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

+1. Any progress on this?

Actions #3

Updated by Michael . over 3 years ago

Stanislav Dimov wrote:

+1. Any progress on this?

+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:

[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/
@@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log

Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.

EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.

Actions #4

Updated by Krisjanis Morkans over 2 years ago

+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.

Actions #5

Updated by Manny Tew over 2 years ago

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Actions #6

Updated by Manny Tew about 2 years ago

Manny Tew wrote in #note-5:

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Just leaving a note, since I noticed recent update to ACME.

Actions #7

Updated by David Kemp about 2 years ago

+1 for this as well.
Just started looking into sorting out the self-signed cert and thought there would be a better way to run an internal CA.
Would be great to be able to use step-ca with pfSense.

Actions #8

Updated by Connor McBrine-Ellis about 2 years ago

+1 for this! Just set up step-ca and would love having this functionality too.

Actions #9

Updated by Carsten Kragelund over 1 year ago

+1 for this.
Using hacky scripts to add my domain to config files is not a suitable solution

Actions #10

Updated by Karl Ribich over 1 year ago

+1, we have completed a rollout of step-ca to our enterprise and would really appreciate this feature as well.
This would also apply to EJBCA Enterprise customers as well as they have also introduced ACME support.
https://download.primekey.com/docs/EJBCA-Enterprise/7_2_0/ACME.html

Actions #11

Updated by Jeremy Schoonover over 1 year ago

Another +1. Just got Step CA installed, and it's really great. Right now I'm just creating CSR's and creating certs that way for PFSense, but the ACME integration would be fantastic.

Actions #12

Updated by Jeremy Reichman 11 months ago

+1 here as well. I also have set up Step CA as an internal CA with ACME. I want to be able to set up a custom ACME server config for ACME on Pfsense, so that it could use the internal Step CA service.

Actions #13

Updated by Jamison Maxwell 10 months ago

+1 as well. Also a shout out to Step CA. There are more and more options for ACME endpoints hosted privately, this would be a tremendous feature.

Actions #14

Updated by Ben Tyger 7 months ago

+1 for me too. I'd like to set it up with FreeIPA 4.9 as it starts to support the ACME protocol for certificates.

Actions #15

Updated by Kevin Lewis 7 months ago

+1 as well. Many of the other servers running on-premises use the Step CA that is hosted internally. Allowing pfsense to also use the internal ca would help us out a lot.

Actions #16

Updated by Stephen Nelson 4 months ago

+1 also.

Actions #17

Updated by Max Budnick 4 months ago

+1 also

there is a FreeBSD port of step-ca

https://www.freshports.org/security/step-certificates/

Actions

Also available in: Atom PDF