EAB authorization support

Question

EAB authorization support

encedo opened this issue 4 years ago · comments

Hi Stefan

Have you been thinking about adding EAB authorization to the lib? ZeroSSL is a new kid on the block but requires EAB support. BuyPASS works out of the box (only CA's URL need to be added). Look at the acme.sh or ACMEphp projects for details on how it works.

ZeroSSL is a very interesting CA as there are almost no rate limits.

Chris

Stefan Körfgen · Answer 1 · Mon Apr 05 2021 10:27:42 GMT+0800 (China Standard Time)

Hi Chris,

since ACMECert was initially designed for use with Let's Encrypt only I did not consider adding EAB support before.
But allowing for other CA's is maybe not a bad idea.

I have managed to add EAB support. You can find it in the "eab"-branch.

You can use ZeroSSL by passing the link of the directory to the constructor:

$ac=new ACMECert('https://acme.zerossl.com/v2/DV90');

There is now a new function to register with EAB Credentials:

function registerEAB($termsOfServiceAgreed=false,$eab_kid,$eab_hmac,$contacts=array())

Let me know if it works for you and if you encounter any problems.

Thanks!

Stefan

Krzysztof Rutecki · Answer 2 · Tue Apr 06 2021 19:16:36 GMT+0800 (China Standard Time)

Hi

That was fast! You have just implemented it or it was around for a while? :) I will run a few tested today (against all three CAs) and back to you.

Chris

Stefan Körfgen · Answer 3 · Wed Apr 07 2021 00:44:31 GMT+0800 (China Standard Time)

I just implemented it. It wasn't very difficult, looking at the other projects, especially this commit.

Thank you for testing! Looking forward to the results.

Krzysztof Rutecki · Answer 4 · Wed Apr 07 2021 05:49:41 GMT+0800 (China Standard Time)

Tested. Works like a charm!

Now you can merge this branch with the master. As the result the lib now supports:

Let's Encrypt
BuyPASS CA (by calling register('https://api.buypass.com/acme/directory')
ZeroSSL (by EAB).

Superb! The big plus for ZeroSSL is support for ECC key. For our project having certificates with P-256 keys signed by CA with ECC result in a small file size (CA siganture is ECDSA). Big win for our embedded system, where the size matters ;)

Chris

Stefan Körfgen · Answer 5 · Thu Apr 08 2021 00:40:42 GMT+0800 (China Standard Time)

Wonderful !

I'll also test it thoroughly and update the README. When this is done I'm going to merge it into master.

Stefan Körfgen · Answer 6 · Tue Apr 13 2021 03:49:32 GMT+0800 (China Standard Time)

During my testing, I ran into a few issues that have yet to be fixed before I feel comfortable to merge the changes into master. For example, when a challenge fails both Bypass and ZeroSSL do not immediately set the status of the authorization to "invalid". This leads ACMECert to run into a retry cycle until the maximum retries limit is reached. Another problem is that Bypass currently does not allow to deactivate a valid authorization. I have contacted Bypass and they have identified the bug and plan to deploy the fix to production.

kezenwa · Answer 7 · Mon Apr 26 2021 13:17:15 GMT+0800 (China Standard Time)

During my testing, I ran into a few issues that have yet to be fixed before I feel comfortable to merge the changes into master. For example, when a challenge fails both Bypass and ZeroSSL do not immediately set the status of the authorization to "invalid". This leads ACMECert to run into a retry cycle until the maximum retries limit is reached. Another problem is that Bypass currently does not allow to deactivate a valid authorization. I have contacted Bypass and they have identified the bug and plan to deploy the fix to production.

1 or both of these issues seems to have been fixed by BuyPass as stated in their response on your complain in their forum.

Also am trying to figure out what $eab_kid and $eab_hmac represents in below code

public function registerEAB($termsOfServiceAgreed=false,$eab_kid,$eab_hmac,$contacts=array()) { }

Of course it would have been easier for me had there been comments in the class methods

Stefan Körfgen · Answer 8 · Thu Apr 29 2021 05:34:51 GMT+0800 (China Standard Time)

Yes! Buypass fixed the problem! The other problem (where ACMECert runs into a retry cycle until the maximum retries limit is reached) I can solve by changing the code a little bit. So Bypass is then hopefully usable.

On the other hand for ZeroSSL I found no way to detect a failed challenge (so the problem remains there). I have also contacted ZeroSSL, but have not yet got a response..still waiting..

$eab_kid and $eab_hmac are two strings you get here: https://app.zerossl.com/developer (requires a ZeroSSL account)

If ZeroSSL gets usable i'll document the registerEAB function as well.

Krzysztof Rutecki · Answer 9 · Sat Oct 02 2021 01:48:05 GMT+0800 (China Standard Time)

Hi

Did you get an answer from ZeroSSL? Are they responding? I have two issues (one is similar to yours):

first with reaching a limit (8) on confirming order "https://acme.zerossl.com/v2/DV90/order/" (look like to have exponential backoff algorithm here - good job;
second with occasional 504 on "https://acme.zerossl.com/v2/DV90/order//finalize"

In both cases, the DV challenge has been done properly.

ZeroSSL is a partner of Sectigo, so both issues (504 and no reply code for a /order) can be combined as a backend to Sectigo is failing. Just guessing :)

Chris

Stefan Körfgen · Answer 10 · Sat Oct 02 2021 02:21:11 GMT+0800 (China Standard Time)

Hi!

Unfortunately I did not get a response from ZeroSSL. However from what I found out is that ZeroSSL seems to retry failed challenges on its own (without the client requesting the verification). That's why the corresponding authorizations are not put immediately into "invalid"-state once failed, like Let's Encrypt does. Instead they are stuck in "pending"-state. So I guess the only way to handle this scenario is to somewhow monitor the authorizations and then get the certificate when they all are in "valid"-state at a later point in time. Since this is not how ACMECert works (the orders/challenges/authorizations are not even stored anywhere) I see no possibility to fix this issue.

I also tried it with acme.sh, which is officially supported -> https://zerossl.com/features/acme/#clients

Same thing here:

[Thu 15 Apr 2021 09:20:02 PM CEST] Using CA: https://acme.zerossl.com/v2/DV90
[Thu 15 Apr 2021 09:20:02 PM CEST] Creating domain key
[Thu 15 Apr 2021 09:20:02 PM CEST] The domain key is here: /root/.acme.sh/example.com/example.com.key
[Thu 15 Apr 2021 09:20:02 PM CEST] Single domain='example.com'
[Thu 15 Apr 2021 09:20:02 PM CEST] Getting domain auth token for each domain
[Thu 15 Apr 2021 09:20:03 PM CEST] Getting webroot for domain='example.com'
[Thu 15 Apr 2021 09:20:03 PM CEST] Verifying: example.com
[Thu 15 Apr 2021 09:20:07 PM CEST] Processing
[Thu 15 Apr 2021 09:20:09 PM CEST] Processing
[Thu 15 Apr 2021 09:20:12 PM CEST] Processing
[Thu 15 Apr 2021 09:20:14 PM CEST] Processing
[Thu 15 Apr 2021 09:20:17 PM CEST] Processing
[Thu 15 Apr 2021 09:20:20 PM CEST] Processing
[Thu 15 Apr 2021 09:20:22 PM CEST] Processing
[Thu 15 Apr 2021 09:20:25 PM CEST] Processing
[Thu 15 Apr 2021 09:20:27 PM CEST] Processing
[Thu 15 Apr 2021 09:20:30 PM CEST] Processing
[Thu 15 Apr 2021 09:20:32 PM CEST] Processing
[Thu 15 Apr 2021 09:20:35 PM CEST] Processing
[Thu 15 Apr 2021 09:20:38 PM CEST] Processing
[Thu 15 Apr 2021 09:20:40 PM CEST] Processing
[Thu 15 Apr 2021 09:20:43 PM CEST] Processing
[Thu 15 Apr 2021 09:20:45 PM CEST] Processing
[Thu 15 Apr 2021 09:20:48 PM CEST] Processing
[Thu 15 Apr 2021 09:20:50 PM CEST] Processing
[Thu 15 Apr 2021 09:20:53 PM CEST] Processing
[Thu 15 Apr 2021 09:20:56 PM CEST] Processing
[Thu 15 Apr 2021 09:20:58 PM CEST] Processing
[Thu 15 Apr 2021 09:21:01 PM CEST] Processing
[Thu 15 Apr 2021 09:21:03 PM CEST] Processing
[Thu 15 Apr 2021 09:21:06 PM CEST] Processing
[Thu 15 Apr 2021 09:21:08 PM CEST] Processing
[Thu 15 Apr 2021 09:21:11 PM CEST] Processing
[Thu 15 Apr 2021 09:21:13 PM CEST] Processing
[Thu 15 Apr 2021 09:21:16 PM CEST] Processing
[Thu 15 Apr 2021 09:21:19 PM CEST] Processing
[Thu 15 Apr 2021 09:21:19 PM CEST] example.com:Timeout

I think I give up trying to support ZeroSSL in ACMECert for now :(

During my testing I also got a lot of 5xx response codes. Seems "normal" with ZeroSSL xD

Krzysztof Rutecki · Answer 11 · Sat Oct 02 2021 02:33:27 GMT+0800 (China Standard Time)

I have emailed them a few minutes ago. Will try to reach them on LinkedIn as well.
I'm giving myself few days :)

IMHO it is an issue between ZeroSSL and Sectigo. The cert that reached reply timeout got issued! It is visible in the official Dashboard. The 504 is another case - reverse proxy overloaded?

I'm using DNS-TXT validation where the DNS server is handled by 3rd party, with no chance to monitor the fact the bot has performed the query.

WIll see how it develops.

Krzysztof Rutecki · Answer 12 · Mon Oct 11 2021 15:57:44 GMT+0800 (China Standard Time)

Hi Stefan,
I got a reply from ZeroSSL Support Team :) Quote:

"
Hi Krzysztof,

Thank you for reaching out.
The current ACME issues are still under investigation and we currently don't have a fixed date when this will be resolved.

Best regards,
Ivana
ZeroSSL Customer Success
"

So it looks like it will take some time :) However, the EAB integration is correct, works most of the time :) I will do more test with anouther player: https://www.ssl.com/how-to/order-free-90-day-ssl-tls-certificates-with-acme/