Hello,
We want to use ACME but with different directory URL's from multiple suppliers. Is there some sort of gateway software that provides this feature? Where you can connect multiple suppliers and the server always configures the same directory URL?
Thanks in advance.
Many ACME Clients support various ACME Servers. Refer to the docs for each Client for how you specify the Server's directory URL.
If that does not answer your question please explain more about what you are trying to do. A single certificate can only be issued by a single CA (supplier).
Hello Mike,
I mean we want to distribute one single URL on the internal network which let's client connect to a gateway server which than handles the certificate request. So when the supplier changes the internal address remains the same.
Let's Encrypt is a Certificate Authority (CA) that runs an ACME Server.
You use an ACME Client to request a certificate from it. You can use that Client to connect to other ACME Servers too. Let's Encrypt does not supply the ACME Client. There are many to choose from or you can develop your own (can be complex).
Are you developing your own ACME Client?
You should probably review the topics here: Documentation - Let's Encrypt
There's no extant software (at least to my knowledge) to do what you're asking for, and I question whether it would even be possible. A better solution for you might be a local certificate authority, which could issue certs using ACME (I don't know about others, but Smallstep has this capability).
Otherwise, you could obtain wildcard certs on that centralized system, and use it to distribute them to whatever local resources need them.
@TheBzking If you need certificates from a public CA, you should know that they differ by more than just the directory URL. Some require EAB, some do not. They don't all offer the same features.
Here is one comparison list but it is not comprehensive
I somewhat do this with my client. It offers a central JSON API server for a clients behind a LAN to manage the issuance lifecycle. It does not implement the ACME RFC as a server though, only as a client. The API is it's own. You make JSON requests to it, and it runs the ACME protocol with it's own client.
This would be somewhat of an anti-pattern. The ACME CA should not change on a whim, and the ACME CAs are increasingly diverging from one another in terms of what they support. Ten years ago, ACME clients could easily swap a directory URL and receive largely the same product. Today, things are diverging quite a bit. Changing the CA can change more than just the issuer; it can change what is required in the payloads and what the end product is. Changing the CA will now usually mean changing the local client integration and is driven by specific business goals.
Anyways, the easiest way to achieve what you requested might be to have a custom domain on your LAN , and proxy all traffic to that onto a given destination. i.e. you run acme.example.com and just have it rewrite/proxy traffic to https://acme-staging-v02.api.letsencrypt.org/directory. I can't think of anything that would break in the ACME protocol or current CA implementations if you did that.
@TheBzking There is also GitHub - grindsa/acme2certifier: library implementing ACME server functionality which acts as an ACME proxy to other CAs (acme or not).
Your question hints at a requirement for some kind of centralization, or at least cooperative ACME client/ACME client management. There's an outside chance that the stuff planned for Certify Management Hub might have some relevance, maybe not.
Thank you, it's not quite what I'm looking but the ACME2Certifier sounds like a cool project I would like to follow
I guess in the scenario you are interested in you want to be able to use an ACME client (any/all ACME clients?) but the server it talks to does all the actual work (domain validation challenge responses etc), then at the ACME finalize step the client passes it's own CSR (because the client is in charge of it's own private keys) which the proxy server uses to complete the certificate order against the CA.
An alternative would to use a central certificate renewal which pushes to a secrets vault (or it provides an API for cert download, both of which are options in Certify Management Hub), then each client periodically pulls the certificate it is entitled to using it's own credentials, which you could do with a short script scheduled on each client.