Account key for generating challenge responses

Help
1

My domain is: thenothingzone.com

I ran this command: wacs --register

It produced this output:

 A simple Windows ACMEv2 client (WACS)
 Software version 2.2.7.1612 (release, trimmed, standalone, 64-bit)
 Connecting to https://acme-v02.api.letsencrypt.org/...
 Connection OK!
 Scheduled task looks healthy
 Please report issues at https://github.com/win-acme/win-acme

My web server is (include version): My own

The operating system my web server runs on is (include version): Windows 11

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.2.7.1612

I'm writing my own code to respond to HTTP-01 challenges when requesting a new certificate (like Certes, Acme.js etc do), however I am lost as to where to find/obtain the key. When I installed WinAcme, I don't recall it ever giving me a key. From my research so far, it seems I may need to create a new account, however I'm at a loss as to how to do this with WinAcme, or anything else. Apparently using the --register switch in WinAcme is supposed to do it, but again - no key.

I'm surprised that there seems to be little information about this - Certes and Acme.js have functions that can accept the key, but apparently no documentation about where to actually get it

2

All ACME client implement support for RFC 8555, and they follow that to generate an account key when registering against the ACME CA: RFC 8555 - Automatic Certificate Management Environment (ACME)

An account key is something your ACME client software generates itself, it's a random secret. It then uses that to sign conversations between itself and the ACME CA. Certes has it's KeyFactory.NewKey method which in turn is using BouncyCastle GeneratorUtilities.GetKeyPairGenerator

Be aware that implementing a new ACME client is a reasonable amount of work and it takes some effort to get it working with multiple CAs etc.

4 Likes
3

That was my understanding. I wanted to know whether it stores it anywhere, and if so, how/if I can use it in my code.

I'm not building a complete client, just server code to respond to the acme-challenge when the actual client (WinAcme) requests a certificate

4

Then you just need to handle HTTP requests of the form

http://thenothingzone.com/.well-known/acme-challenge/(token)

The ACME Client is responsible for making the "token" and its related value.

It looks like your HTTP handler sees incoming requests. But, it doesn't return the contents of the token challenge file created by the ACME Client.

You should look at the wacs docs for Apache and adjust them for your custom server. The process is the same. wacs creates a token and related file and then Apache responds to the challenge from the Let's Encrypt server. Your service replaces Apache in this example.

Be sure to use the Let's Encrypt staging system while testing. Too many failed attempts will get you rate limited (5 failures/hour). See Rate Limits

4 Likes
5

If you tell win-acme where to place challenge response files you can use "webroot" method of serving http challenge response files via your own service, alternatively if your service on windows is using http.sys for it's http pipeline (sharing with other listeners) then win-acme can self host the challenge via it's own listener.

win-acme does have a plugin mechanism you could possibly use if you need specific integration to serve the challenge but for further info on that you'd need to ask a question on win-acmes github discussions.

4 Likes