Project

General

Profile

Actions

Feature #9833

open

ACME: add ability to use custom ACME server

Added by Filippo Tessarotto almost 2 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
10/18/2019
Due date:
% Done:

0%

Estimated time:

Description

Hi, on September 2019 the Smallstep company released a feature on their step-ca tool that allows to serve private CA responding to ACMEv2 protocol:

https://smallstep.com/blog/private-acme-server/

I would like to be able to specify in the ACME Server list my own custom server URL, i.e. https://my-ca.local:8443/acme/acme/directory.

Is this feasible?

Best regards, Filippo

Actions #1

Updated by Michael Long about 1 year ago

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

Actions #2

Updated by Stanislav Dimov 8 months ago

Michael Long wrote:

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

+1. Any progress on this?

Actions #3

Updated by Michael . 7 months ago

Stanislav Dimov wrote:

+1. Any progress on this?

+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:

[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/
@@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log

Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.

EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.

Actions

Also available in: Atom PDF