Feature #9833
ACME: add ability to use custom ACME server
0%
Description
Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:
https://smallstep.com/blog/private-acme-server/
I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory
.
Is this feasible?
Best regards, Filippo
History
#1
Updated by Michael Long 9 months ago
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
#2
Updated by Stanislav Dimov 2 months ago
Michael Long wrote:
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
+1. Any progress on this?
#3
Updated by Michael . 21 days ago
Stanislav Dimov wrote:
+1. Any progress on this?
+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:
[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@
@@/acme/acme/directory
@
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/@
@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log
Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.
EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.