AMCE cert with Sectigo account

thesix

Member
Mar 17, 2021
18
2
8
60
Hi!

We use Sectigo [1] for our x509 certs. They offer no challenge based system for ACME. We use accounts instead. I can setup an account in PVE config System/Certificates but cannot use it since I have to chose between DNS and HTTP challenge to add a certificate. Both are not an option. Please advise.

[1] https://www.sectigo.com/

Regards,
j.
 
Thanks, did that. In order to make it easier for others in the future I summarize what I had to do to get it working. I did all that using the CLI since I felt the UIX is not as comfortable as it should be.

Register and account using your EMAIL, EAB_KEY_ID and EAB_KEY

Code:
root@pve:~# pvenode acme account register default EMAIL

Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 2
Enter custom URL: https://acme.sectigo.com/v2/OV

Attempting to fetch Terms of Service from 'https://acme.sectigo.com/v2/OV'..
Terms of Service: https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf
Do you agree to the above terms? [y|N]: y
The CA requires external account binding.
You should have received a key id and a key from your CA.
Enter EAB key id: EAB_KEY_ID
Enter EAB key: EAB_KEY

Attempting to register account with 'https://acme.sectigo.com/v2/OV'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme.sectigo.com/v2/OV/account/X'
Task OK

Configure the DOMAIN (e.g. pve.example.com) for your certificate

Code:
root@pve:~# pvenode config set --acme domains=DOMAIN

Order the first certificate

Since we already had certificates in use I had to use --force=1 to overwrite the existing certificate.
Code:
root@pve:~# pvenode acme cert order --force=1
Loading ACME account details
Placing ACME order
Order URL: https://acme.sectigo.com/v2/OV/order/X

Getting authorization details from 'https://acme.sectigo.com/v2/OV/authz/Y'
DOMAIN is already validated!

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK
 
Ive been using EAB based Sectigo cert ordering via PVE GUI with the default challenge setting (HTTP) just fine. What problems did you exactly run into?
 
Ive been using EAB based Sectigo cert ordering via PVE GUI with the default challenge setting (HTTP) just fine. What problems did you exactly run into?
As I said I am not aware of any challenge methods Sectigo offers. The only way to get a certificate is to use an account and get certificates by logging in. Configuring this using the above described way works now. Would not know how to do that in the UIX though.
 
Ive been using EAB based Sectigo cert ordering via PVE GUI with the default challenge setting (HTTP) just fine. What problems did you exactly run into?
Just out of curiosity: why would you need a challenge if you are using EAB?
 
As I said I am not aware of any challenge methods Sectigo offers. The only way to get a certificate is to use an account and get certificates by logging in. Configuring this using the above described way works now. Would not know how to do that in the UIX though.
  1. Add FQDNs on the Sectigo SCM platform via their DCV methods
  2. On PVE GUI, Datacenter - ACME - Add default account with Sectigo URL and EAB credentials
  3. On the desired node - System>Certificates - Select default account and enter desired FQDNs with challenge type unmodified to default value (which is HTTP)
  4. Order certificates now and it works as expected
Just out of curiosity: why would you need a challenge if you are using EAB?
I'm pretty sure it doesnt even do the challenge, its just that in the GUI theres no setting for none
It still works though.
 
I'm pretty sure it doesnt even do the challenge, its just that in the GUI theres no setting for none
It still works though.
I believe you and at the same time state that this is undesired behavior. But thanks for taking you time.

Just checked btw. The certificate I configured via CLI appears as ACME HTTP in the UIX ...
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!