Certificates: acme and Sectigo

K

Klaus Steinberger

Renowned Member
Proxmox Subscriber
Jan 16, 2018
237
56
68
Hi,

i want to use acme for Certificates from Sectigo. But I'm missing the options for the external binding as the registration needs both an eab-kid and eab-hmac-key parameter.

With certbot these are the --eab-kid and --eab-hmac-key with the appropriate values from our Sectigo Account
 
  • Like
Reactions: mjw and maxiReglisse
It seems that Proxmox VE does not accept the eab parameters. Feel free to open an enhancement request in the bugtracker.
 
Well, as of now, with the freshly released 8.2 it should be possible.
From the roadmap:
  • Support for adding custom ACME enabled CA's with optional authentication through External Account Binding (EAB) is now also present in the GUI (issue 4497, issue 5093).
Click to expand...
 
  • Like
Reactions: mjw and andli86
aaron said:
Well, as of now, with the freshly released 8.2 it should be possible.
From the roadmap:
Click to expand...
It does not work with Sectigo CA:

Attempting to register account with 'https://acme.sectigo.com/v2/OV'..
Generating ACME account key..
Registering ACME account..
Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}

key_id and hmac are pasted correctly in the command as I use same key_id/hmac on some other servers.
 
Last edited:
  • Like
Reactions: andli86
Hi,

I agree with Klaus, that it doesn't work with PVE 8.2 and Sectigo ACME.

Generating ACME account key..
Registering ACME account..
TASK ERROR: Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}

I still have a manual added custom certificate "pveproxy-ssl.pem", for the same domain.
 
Hi again,

To give more information on my problem generating a certificate with the new custom ACME function in PVE 8.2.
(Please also see my previous message in this thread)

I used to run the following command (with success), to generate my certificates that I manually added as a custom certificate in my PVE host.
sudo certbot certonly --standalone \
--non-interactive \
--agree-tos \
--email <mail> \
--server https://acme.sectigo.com/v2/OV \
--eab-kid <kid> \
--eab-hmac-key <key> \
--domain <domain_fqdn> \
--cert-name <cert_file_name> \
--verbose

All private data have been removed from the example, such as my email, EAB-KID, EAB-HMAC-KEY, domain and certname (which was similar to the domain name).
 
Hi,
could you try to create the certificate via the cli? The command for that would be: pvenode acme account register <name> <mail>
The wizard should ask you for a custom directory and optionally the eab credentials
 
  • Like
Reactions: andli86
Hi,

I also tried to do this via the cli, and it failed again. I'll include everything I did here below (I have removed all sensible data).

Code: 
root@pve:~# pvenode acme account register Sectigo <mail>
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 2
Enter custom URL: https://acme.sectigo.com/v2/OV

Attempting to fetch Terms of Service from 'https://acme.sectigo.com/v2/OV'..
Terms of Service: https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf
Do you agree to the above terms? [y|N]: y
The CA requires external account binding.
You should have received a key id and a key from your CA.
Enter EAB key id: <kid>
Enter EAB key: <key>

Attempting to register account with 'https://acme.sectigo.com/v2/OV'..
Generating ACME account key..
Registering ACME account..
Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}
Task Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}
root@pve:

I don't know if this is for any help in solving this, I reuse the same EAB key id and EAB key, that I have used before from another server to generat the certificates, so that I could add it as a custom certificate on the PVE host.
 
Last edited:
Hm, I just tested it against ZeroSSL, same problem. It seems like pebble isn't so much the reference server, as it claims to be ^^

Could you please open an issue on our bugzilla and post the link here for others to find, so we can keep track of the issue?

https://bugzilla.proxmox.com
 
Nevermind, found the issue and noticed that it got already fixed back in February, the package didn't get a release since, though.
I'll update the thread as soon as an update is available
 
  • Like
Reactions: mjw and andli86
The update should now be available in all repositories except enterprise.
The package you would be looking for is libproxmox-acme-perl 1.5.1

Let me know if it works!
 
Last edited:
  • Like
Reactions: andli86 and s3b
Should this work in PBS too? :confused:

Code: 
Error: urn:ietf:params:acme:error:malformed: [External Account Binding] Invalid MAC on JWS request
Error: urn:ietf:params:acme:error:malformed: [External Account Binding] The Key Identifier is invalid
Error: Invalid byte 45, offset 67.
 
andli86 said:
Hi, I have now tested this in one of my servers with enterprise repositories.
I configured only one domain for this server (will try and add one more domain as a SAN).
And it works, so far for me (30 minutes since configured), I will wait a couple of days/weeks before I configure my next server.
Click to expand...
I can inform that my second PVE server in my 3-node cluster work almost with out any problem.
I planned to update my nodes every 4 months, so that I have the maximum spread between the 3-nodes, and the second node was planned for September 17.
The problem I had was that I had to recreate the account, that I created at the same time as for the first node. But after recreating the account for my second node it worked smoothly.
Now I have to wait until January 17 for updating the third node.

I still haven't managed to do this with ACME with EAB key id and EAB key on PBS yet, I have an other post regarding this https://forum.proxmox.com/threads/acme-with-custom-acme-directory-doesnt-work.147058/#post-665760
 
  • Like
Reactions: mariol
andli86 said:
I can inform that my second PVE server in my 3-node cluster work almost with out any problem.
I planned to update my nodes every 4 months, so that I have the maximum spread between the 3-nodes, and the second node was planned for September 17.
The problem I had was that I had to recreate the account, that I created at the same time as for the first node. But after recreating the account for my second node it worked smoothly.
Now I have to wait until January 17 for updating the third node.

I still haven't managed to do this with ACME with EAB key id and EAB key on PBS yet, I have an other post regarding this https://forum.proxmox.com/threads/acme-with-custom-acme-directory-doesnt-work.147058/#post-665760
Click to expand...

A workaround for PBS is now available :cool: : https://forum.proxmox.com/threads/acme-with-custom-acme-directory-doesnt-work.147058/post-708297
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back