Allow custom ACME server #204
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thanks for opening this pull request! Be sure to follow the pull request template!
|
Just wanted to note that I don't love having to send a base64-encoded root CA PEM into the container via an env variable. |
|
I am a bot, here are the test results for this PR: |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Bump |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@tashian on alpine you can pkg add ca-certificates, store a ca cert in /usr/local/share/ca-certificates directory and run update-ca-certificates. this seems to make the ca cert available for all tools. tested this on a alpine docker container, makes curl work on my custome ACME server |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Bumping this to demonstrate my own interest in this feature. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
bump |
|
I am very interested in seeing this added as a feature. I have an internal CA (via step-ca + ACME provisioner) I have tested against for which I can provide results that this indeed does work (minus one change which I have already highlighted). |
|
We've been working on a big rebase of our nginx baseimage and new features were put on hold. We're very close to completing that so we'll take a look at this soon. |
|
@tashian If you rebase this, we'll review and merge soon Thanks |
tashian
force-pushed
the
custom-acme
branch
3 times, most recently
from
af45143 to
20e8893
Compare
|
Hi @aptalca, thanks for the update. I've rebased this PR. |
tashian
force-pushed
the
custom-acme
branch
from
20e8893 to
564e0d8
Compare
|
@coreyramirezgomez thanks for testing on your setup! I committed your suggestion |
|
I am a bot, here are the test results for this PR: |
2 similar comments
|
I am a bot, here are the test results for this PR: |
|
I am a bot, here are the test results for this PR: |
|
Thanks for the PR. It looks good to me except for a couple of things.
|
tashian
force-pushed
the
custom-acme
branch
from
49b7121 to
3033576
Compare
|
Ok, I've addressed these issues, thanks for the feedback. I also updated the logic to allow a file-mounted CA bundle. I think this is more straightforward than providing a base64-encoding PEM file in an env variable, but I know this option won't be available in some container environments. |
|
I am a bot, here are the test results for this PR: |
1 similar comment
|
I am a bot, here are the test results for this PR: |
root/etc/cont-init.d/50-certbot
Outdated
| @@ -229,7 +248,7 @@ else | |||
| fi | |||
|
|
|||
| # Check if the cert is using the old LE root cert, revoke and regen if necessary | |||
| if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then | |||
| if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" = "letsencrypt" ] || ([ "${CERTPROVIDER}" = "" ] && [ -z "$ACMECABUNDLE" ])) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then | |||
There was a problem hiding this comment.
This new logic is incorrect. In fact, this logic does not need to be modified at all, as it is just a backwards compatibility shim for a breaking change from well over a year ago.
The part that needs to be modified is the following, to make sure that the changes to the custom ACME related vars result in revoking the old cert and forcing revalidation:
docker-swag/root/etc/cont-init.d/50-certbot
Lines 192 to 219 in fe294dd
The section for revoking might need some edits as well.
There was a problem hiding this comment.
I see. Ok, I've made these edits.
As far as I can tell, there's no EAB credential state stored in the ORIG variables, so I can't do EAB revocation using a custom ACME server. The way it works for ZeroSSL is via a custom lookup API that maps the email to an EAB account. But, that seems to be a ZeroSSL thing, not part of the ACME standard.
So, for now, maybe EAB should not be allowed for custom ACME servers?
tashian
changed the title
| if [ -n "$ORIGACMECABUNDLE" ]; then | ||
| echo "$ORIGACMECABUNDLE" | base64 -d - > /config/origcabundle.pem | ||
| export REQUESTS_CA_BUNDLE="/config/origcabundle.pem" |
There was a problem hiding this comment.
Hi @aptalca,
For revocation, I've exported the original CA bundle to /config/origcabundle.pem here and I've set REQUESTS_CA_BUNDLE so that it's picked up by certbot/curl.
Will I need to re-export REQUESTS_CA_BUNDLE after revocation, so it points to the contents of /config/cabundle.pem again?
|
I am a bot, here are the test results for this PR: |
1 similar comment
|
I am a bot, here are the test results for this PR: |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This pull request is locked due to inactivity |
Description:
Support for a custom ACME server and CA bundle.
I've added
ACMESERVERandACMECABUNDLEvariables to support this.The root CA bundle in
ACMECABUNDLEis expected to be a base64 encoded PEM file.The config init script decodes and saves the CA bundle to
/config/cabundle.pem.The variable
REQUESTS_CA_BUNDLEis exported for all calls tocertbot, so thatcertbotcan establish CA trust.Benefits of this PR and context:
Internal ACME servers have become more popular and should be supported.
Closes #186.
How Has This Been Tested?
Not yet tested.
Source / References:
There's no formal documentation that I know of for the
REQUESTS_CA_BUNDLEenv variable passed intocertbot, but this blog post shows it in action.