Feature #9833
openACME: add ability to use custom ACME server
0%
Description
Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:
https://smallstep.com/blog/private-acme-server/
I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory
.
Is this feasible?
Best regards, Filippo
Updated by Michael Long over 4 years ago
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
Updated by Stanislav Dimov about 4 years ago
Michael Long wrote:
I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.
+1. Any progress on this?
Updated by Michael . almost 4 years ago
Stanislav Dimov wrote:
+1. Any progress on this?
+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:
[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@
@@/acme/acme/directory
@
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/@
@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log
Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.
EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.
Updated by Krisjanis Morkans over 3 years ago
+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.
Updated by Manny Tew about 3 years ago
+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.
Updated by Manny Tew almost 3 years ago
Manny Tew wrote in #note-5:
+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.
Just leaving a note, since I noticed recent update to ACME.
Updated by David Kemp almost 3 years ago
+1 for this as well.
Just started looking into sorting out the self-signed cert and thought there would be a better way to run an internal CA.
Would be great to be able to use step-ca with pfSense.
Updated by Connor McBrine-Ellis over 2 years ago
+1 for this! Just set up step-ca and would love having this functionality too.
Updated by Carsten Kragelund about 2 years ago
+1 for this.
Using hacky scripts to add my domain to config files is not a suitable solution
Updated by Karl Ribich about 2 years ago
+1, we have completed a rollout of step-ca to our enterprise and would really appreciate this feature as well.
This would also apply to EJBCA Enterprise customers as well as they have also introduced ACME support.
https://download.primekey.com/docs/EJBCA-Enterprise/7_2_0/ACME.html
Updated by Jeremy Schoonover about 2 years ago
Another +1. Just got Step CA installed, and it's really great. Right now I'm just creating CSR's and creating certs that way for PFSense, but the ACME integration would be fantastic.
Updated by Jeremy Reichman over 1 year ago
+1 here as well. I also have set up Step CA as an internal CA with ACME. I want to be able to set up a custom ACME server config for ACME on Pfsense, so that it could use the internal Step CA service.
Updated by Jamison Maxwell over 1 year ago
+1 as well. Also a shout out to Step CA. There are more and more options for ACME endpoints hosted privately, this would be a tremendous feature.
Updated by Ben Tyger over 1 year ago
+1 for me too. I'd like to set it up with FreeIPA 4.9 as it starts to support the ACME protocol for certificates.
Updated by Kevin Lewis about 1 year ago
+1 as well. Many of the other servers running on-premises use the Step CA that is hosted internally. Allowing pfsense to also use the internal ca would help us out a lot.