External Account Binding with the acme4j client

Hi,
Working with the acme4j for a while with Let’s Encrypt and everything working well.
Now, we are considering to use some other CA as a backup, and this CA requires External Account Binding in order to use the acme API.

Tried to do it using the acme4j client and encountered the following exception:
“[External Account Binding] The account is not awaiting external account binding”

Any advise?

Thanks!

@shred ?

Actually, this is not an acme4j error message…

Are you using acme4j directly, or via a client tool?

When you open the directory URL of the CA in a browser, you should find a key externalAccountRequired in the meta section, which should have the value true. Otherwise the CA is not requesting External Account Binding.

1 Like

I’m using acme4j directly:

accountBuilder = new AccountBuilder()
                    .agreeToTermsOfService()
                    .withKeyIdentifier(acmeConfig.getKeyId(), acmeConfig.getEncodedHmac())
                    .useKeyPair(accountKey)

Yes, this is an error returning from the acme server.

When I open the CA’s URL from the browser I can see ““externalAccountRequired”: true”.

I’m trying to get help from the CA’s support, will update if I found the solution.

1 Like

The code looks good to me. Another reason could be that you are using a Session instance that is connecting to a different server (e.g. the Let’s Encrypt server). You can use Session.getServerUri() and check if the server URI is correct.

Due to tight unit tests, I am confident that the Custom Key Identifier is correctly implemented in acme4j, but it hasn’t been field tested yet (at least not that I am aware of). If there is a bug in acme4j, or if the CA needs a special handling, I’ll gladly help.

3 Likes