Acme.sh supports Google CA, try it!

Google just announced its free public ACME CA.

It supports multiple domains and wildcard domains.

Here is the step by step usage:

5 Likes

I kinda was too early and I had an issue, I had to edit the account.conf file because for some reason the EAB command line options didn't work.

1 Like

emmm, can you please show me the log with --debug 2 ?

I upgraded. The log (level 1?) shows

[Wed 30 Mar 2022 02:25:18 PM UTC] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed 30 Mar 2022 02:25:18 PM UTC] _init api for server: https://dv.acme-v02.api.pki.goog/directory                                                                                                               [Wed 30 Mar 2022 02:25:18 PM UTC] Use default length 2048
[Wed 30 Mar 2022 02:25:18 PM UTC] length='2048'
[Wed 30 Mar 2022 02:25:18 PM UTC] Using config home:/root/.acme.sh
[Wed 30 Mar 2022 02:25:18 PM UTC] ACME_DIRECTORY='https://dv.acme-v02.api.pki.goog/directory'
[Wed 30 Mar 2022 02:25:18 PM UTC] Use length 2048
[Wed 30 Mar 2022 02:25:18 PM UTC] Using RSA: 2048
[Wed 30 Mar 2022 02:25:18 PM UTC] Create account key ok.
[Wed 30 Mar 2022 02:25:18 PM UTC] RSA key
[Wed 30 Mar 2022 02:25:18 PM UTC] config file is empty, can not read CA_EAB_KEY_ID
[Wed 30 Mar 2022 02:25:18 PM UTC] config file is empty, can not read CA_EAB_HMAC_KEY
[Wed 30 Mar 2022 02:25:18 PM UTC] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Wed 30 Mar 2022 02:25:18 PM UTC] url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed 30 Mar 2022 02:25:18 PM UTC] payload='{"contact": ["mailto:me@example.com"], "termsOfServiceAgreed": true}'                                                                                             [Wed 30 Mar 2022 02:25:18 PM UTC] HEAD
[Wed 30 Mar 2022 02:25:18 PM UTC] _post_url='https://dv.acme-v02.api.pki.goog/new-nonce'
[Wed 30 Mar 2022 02:25:18 PM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '                                                                                                   [Wed 30 Mar 2022 02:25:19 PM UTC] _ret='0'
[Wed 30 Mar 2022 02:25:20 PM UTC] POST
[Wed 30 Mar 2022 02:25:20 PM UTC] _post_url='https://dv.acme-v02.api.pki.goog/new-account'
[Wed 30 Mar 2022 02:25:20 PM UTC] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '                                                                                                        [Wed 30 Mar 2022 02:25:20 PM UTC] _ret='0'
[Wed 30 Mar 2022 02:25:20 PM UTC] code='400'
[Wed 30 Mar 2022 02:25:20 PM UTC] Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information."}
[Wed 30 Mar 2022 02:25:20 PM UTC] _on_issue_err
[Wed 30 Mar 2022 02:25:20 PM UTC] Please check log file for more details: /root/.acme.sh/acme.sh.log       

I did add the two appropriate options (together with --issue, though, and replacing an existing certificate) but it only started working when I added the CA_EAB_KEY_ID and CA_EAB_HMAC_KEY variables in /root/.acme.sh/ca/dv.acme-v02.api.pki.goog/directory/ca.conf

2 Likes

Sweet @Neilpang saw you're tweet and requested access. Just waiting on Google's approval/email :slight_smile:

Sorry, there was a missing in the wiki, please register the account with eab kid/hmakey first:

acme.sh  --register-account  -m  myemail@example.com --server google \
    --eab-kid xxxxxxx \
    --eab-hmac-key xxxxxxx
2 Likes

Wow, thanks for the news (and acme.sh compatibility), @Neilpang!

This goes to show just how huge a success the ACME protocol has been. :grinning:

I'm kind of curious about the close timing match between Google's creation of this service and their discontinuation of their CT query tool. Is there some reason that they would specifically not want to run both of those things simultaneously?

4 Likes

Haven't read but is the Google CA issued certs going to have rate limits, if not, maybe CT wouldn't have been able to handle the load?

Noted :smiley:

Yes. There's a page detailing them in the support section, but it's not easy to find and only available once you get approved for the beta.

2 Likes

Cheers just got approved and using gcloud generated my credentials. Though the doc and quick start pages are still 404 not found fo rme.

You have to create a project and enable the publicca API before they're visible, I think.

1 Like

Yeah I created the project and enabled the publicca API but still 404 on documents.

@Neilpang using acme.sh v3.03 or dev branch, on 1st server registering an account worked

acme.sh  --register-account  -m  myemail@example.com --server google \
    --eab-kid xxxxxxx \
    --eab-hmac-key xxxxxxx

but doing same on 2nd server gives me?

Register account Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Unknown external account binding key."}

If you have multiple google accounts and one is your google cloud admin account you will see working URLs have something like ?authuser=2 at the end. Append that (the number will vary depending on your accounts) to the link, that's what worked for me.

2 Likes

append to which part ?

edit: oh you mean to 404 URLs. Thank worked I can see them now!

1 Like

Ah I need a unique key/credentials for each registration!

You can only register one ACME account with an EAB secret. After you have registered an ACME account using an EAB secret, the EAB secret becomes invalid and you can't reuse it. If you want to register multiple ACME accounts, you must request a unique EAB secret for each of the accounts.

1 Like

seem to me too.

It seems the eab secrets is one-time use.

3 Likes

Which is the same for ZeroSSL, so it's fairly standard. I think maybe ssl.com allows re-use of the credentials.

4 Likes

It also expires in 7 days if you do not use it.

2 Likes

Cheers guys!

@Neilpang does using Google CA require acme.sh dev branch or the current v3.0.3 version can work?

No, you can use the current master branch.

1 Like