ACME support in Google’s CA

General question:

Does this new "free" Google CA require a non-free Google Cloud account? I can only see a 90 day trial..

Google Cloud itself is free (if you don't use any non-free services) and there is a free tier (i.e some services have no-cost for light usage) . You do need to register a payment method (because you can very easily incur costs if you want to).

We ask you for your credit card to make sure you are not a robot. You won’t be charged unless you manually upgrade to a paid account.

I just don't trust Google enough to just sign up with my CC, so they can bill anything they want when they unilateral change their own rules/policy

Oh and if you'd try to remove your CC info after registration:

Your Cloud Billing account always needs at least one payment method on file.

So that's a no-go too. So much for the "not a robot" argument..

Ah well, no Google Cloud nor Google CA for me then

See also Google Maps, which was free for about a decade and is pretty expensive now for high volume users like me. For cloud stuff, free is definitely not their priority and of all of them I probably get best value out of Cloudflare (in terms of what they do), perhaps they'll be an ACME CA one day. Fastly are also talking about establishing a CA called Certainly.

My Google Cloud account is somewhat old but I never actually used it (I only needed to access some YouTube APIs) and it didn't ask me for a CC when adding the public CA.

But I do have a CC in my Google account, I just don't have billing set up in Google Cloud, and it will ask me sto add it any time I try to access a paid service (like... most of their services.)

I just don't want Google to have my CC info anywhere.

Not even on the play store? (I think I added it when I bought a Nexus 5 from them)

Nope. Google supports iDEAL, a Dutch payment method using online banking, supported by all major (if not all) banks operating in The Netherlands. Thus, no need for Google to know my CC info.

Anyway, this is rather offtopic, it seems there is no way to get access to Googles CA without subscribing without any payment info. Let's continue ontopic from now on

There is a report an issue option on the https://pki.goog website Google Trust Services | FAQ and contact

As for this, a bug has been filed to investigate and I or someone else will close the loop here when we get more information.

Ryan Hurst

As @webprofusion points out GCP does have a free tier and this is enough to use the service but you do need to register with a payment method to get into the free tier.

It seems like neither the Staging or Prod endpoints support POST-as-GET requests for ACME account endpoints. If I send a JWS request with an empty string payload and the following header:

This issue has been resolved. Thanks for letting us know.

This feature has been added.

I seem to have been invited, but don't know how to get started?

Thanks @rmhrisk. I just got around to testing it with the accounts I had previously created in Prod and Staging, but it still doesn't seem to be working quite right. I do get a different error now though.

{"type":"urn:ietf:params:acme:error:malformed","detail":"Accounts must have at least one contact."}

The accounts had originally been setup with a gmail address in the contact field that matches the GCP account I'm using. I also tried modifying the account using an updated contact payload with the same gmail address which was successful and returned the account object details back as expected. But then trying the Post-As-Get again, returns the same "Accounts must have at least one contact" error.

We will investigate and come back to the thread when we have more. Thank you for the details.

I had one more curiosity attack and I checked my logs.

It looks like Google uses multi-perspective validation too. From six points instead of four.

I submitted a couple more potential issues via the official contact form regarding the key rollover endpoint and account order URIs not working.

Even more I hope to talk publicly about what we have done in the near future.

Thanks for the excellent bugs @rmbolger we are actively working on addressing them.

Yeah, i checked just one FQDN but the total number of requests wasn't making too much sense, With six each it should've been 36 and instead it was 40.