Project

General

Profile

Actions

Feature #9833

open

ACME: add ability to use custom ACME server

Added by Filippo Tessarotto over 2 years ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
10/18/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:

https://smallstep.com/blog/private-acme-server/

I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory.

Is this feasible?

Best regards, Filippo

Actions #1

Updated by Michael Long over 1 year ago

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

Actions #2

Updated by Stanislav Dimov about 1 year ago

Michael Long wrote:

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

+1. Any progress on this?

Actions #3

Updated by Michael . about 1 year ago

Stanislav Dimov wrote:

+1. Any progress on this?

+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:

[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/
@@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log

Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.

EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.

Actions #4

Updated by Krisjanis Morkans 4 months ago

+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.

Actions #5

Updated by Manny Tew about 2 months ago

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Actions

Also available in: Atom PDF