ACME client able to rotate EABs

Hi all,
I'm creating central solution which will take care of SSL cert signing for different domains, different environment, different CAs and different EABs within the same CA.

The last part starts to be tricky. It seems that ACME clients I tried (certbot, lego) both use provided eab-kid and eab-hmac only during very first request to the CA, then it is "registered", some info is saved in /etc/letsencrypt/account/... and next requests to the same CA (CA ACME URL) follows the same kid/hmac as used in very first request.
I need to be able to use different kid/hmac for first signing and then different kid/hmac for second etc.

Is there any ACME client which supports this behaviour? I don't want to go the way to deactivate/unregister ACME client from CA every now and then to release ACME client from the specific kid/hma to be able to use different one for the next request.

Thanks for any hints
Zdenek

2 Likes

Just to reword your request a little, I think you're looking for a client that allows for multiple account registrations active for the same ACME Server, with picking which account based on the certificate.

I don't know of any that would have good support for that offhand, but it wouldn't shock me if one existed somewhere. You might be able to cobble together something using one of the main clients but having multiple configuration locations that they use. Like using certbot's --config-dir to have multiple places besides the default /etc/letsencrypt, or lego's --path. I think you'd need to use some care in setting up the scheduled tasks so that all the configs got renewed, but should be doable.

5 Likes

I agree with Peter. You're looking for a client with (proper) support for multiple ACME accounts. This because EABs are only used when registering a new ACME account. The RFC does not have any other purpose for EABs and EABs cannot be used at any other step. Just when registering an account where the external account is binded to the ACME account at the CA.

Note that Certbot can work with multiple accounts, but it does not actually support them. What I mean by that is that Certbot does have code to handle existence of multiple accounts, but you cannot register multiple accounts yourself. You can e.g. backup (temporarily move) a previously registered account directory, register a NEW account while Certbot is thinking it doesn't have any and place the backed up account directory back where it was before. Now you have two account directories in /etc/letsencrypt/accounts/${URL_OF_ACME_SERVER}/${DIRECTORY_NAME}/. When issuing a new certificate, while not supporting the registering of multiple accounts, Certbot will ask the user interactively which account needs to be used. Note that this choice cannot be made on the command line as far as I know. And the used account is stored in the renewal configuration file (note that there was a bug with this last part which was fixed in 2.7.3).

4 Likes

1 hour and two such a good replies, I have no words :slight_smile:

Thanks Peter and Osiris. As Peter suggested using different config locations might help me to fix this. If I create some dynamic way to select a config folder based on eab-kid, it would probably solve my case.

Thanks once again

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.