Certificates: acme and Sectigo

[Klaus Steinberger]

Hi,

i want to use acme for Certificates from Sectigo. But I'm missing the options for the external binding as the registration needs both an eab-kid and eab-hmac-key parameter.

With certbot these are the --eab-kid and --eab-hmac-key with the appropriate values from our Sectigo Account

 

[Klaus Steinberger]

No Idea ?

 

[aaron]

It seems that Proxmox VE does not accept the eab parameters. Feel free to open an enhancement request in the bugtracker.

 

[maxiReglisse]

april 2024... Same request! Thanks in advance to the developers.

 

[aaron]

Well, as of now, with the freshly released 8.2 it should be possible.
From the roadmap:

• Support for adding custom ACME enabled CA's with optional authentication through External Account Binding (EAB) is now also present in the GUI (issue 4497, issue 5093).

 

[Klaus Steinberger]

Well, as of now, with the freshly released 8.2 it should be possible.
From the roadmap:

It does not work with Sectigo CA:

Attempting to register account with 'https://acme.sectigo.com/v2/OV'..
Generating ACME account key..
Registering ACME account..
Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietfarams:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}

key_id and hmac are pasted correctly in the command as I use same key_id/hmac on some other servers.

 

[andli86]

Hi,

I agree with Klaus, that it doesn't work with PVE 8.2 and Sectigo ACME.

Generating ACME account key..
Registering ACME account..
TASK ERROR: Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietfarams:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}

I still have a manual added custom certificate "pveproxy-ssl.pem", for the same domain.

 

[andli86]

Hi again,

To give more information on my problem generating a certificate with the new custom ACME function in PVE 8.2.
(Please also see my previous message in this thread)

I used to run the following command (with success), to generate my certificates that I manually added as a custom certificate in my PVE host.
sudo certbot certonly --standalone \
--non-interactive \
--agree-tos \
--email <mail> \
--server https://acme.sectigo.com/v2/OV \
--eab-kid <kid> \
--eab-hmac-key <key> \
--domain <domain_fqdn> \
--cert-name <cert_file_name> \
--verbose

All private data have been removed from the example, such as my email, EAB-KID, EAB-HMAC-KEY, domain and certname (which was similar to the domain name).

 

[Folke]

Hi,
could you try to create the certificate via the cli? The command for that would be: pvenode acme account register <name> <mail>
The wizard should ask you for a custom directory and optionally the eab credentials

 

[staeglis]

I tried it via cli. The same error occurred there.

 

[andli86]

Hi,

I also tried to do this via the cli, and it failed again. I'll include everything I did here below (I have removed all sensible data).

root@pve:~# pvenode acme account register Sectigo <mail>
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection: 2
Enter custom URL: https://acme.sectigo.com/v2/OV

Attempting to fetch Terms of Service from 'https://acme.sectigo.com/v2/OV'..
Terms of Service: https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf
Do you agree to the above terms? [y|N]: y
The CA requires external account binding.
You should have received a key id and a key from your CA.
Enter EAB key id: <kid>
Enter EAB key: <key>

Attempting to register account with 'https://acme.sectigo.com/v2/OV'..
Generating ACME account key..
Registering ACME account..
Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}
Task Registration failed: Error: POST to https://acme.sectigo.com/v2/OV/newAccount {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}
root@pve:

I don't know if this is for any help in solving this, I reuse the same EAB key id and EAB key, that I have used before from another server to generat the certificates, so that I could add it as a custom certificate on the PVE host.

 

[Folke]

Hm, I just tested it against ZeroSSL, same problem. It seems like pebble isn't so much the reference server, as it claims to be ^^

Could you please open an issue on our bugzilla and post the link here for others to find, so we can keep track of the issue?

https://bugzilla.proxmox.com

 

[Folke]

Nevermind, found the issue and noticed that it got already fixed back in February, the package didn't get a release since, though.
I'll update the thread as soon as an update is available

 

[andli86]

Nevermind, found the issue and noticed that it got already fixed back in February, the package didn't get a release since, though.
I'll update the thread as soon as an update is available

Thanks Folke, will be nice to try and use this. Looking forward to when it's available.

 

[Folke]

The update should now be available in all repositories except enterprise.
The package you would be looking for is libproxmox-acme-perl 1.5.1

Let me know if it works!

 

[s3b]

Hi ,
the registration and ordering certificates is working fine now for me with Sectigo . I have to let "default" for the name of the account .
Waiting for enterprise repositories .
thanks