List of clients (and CAs) with RFC 8738 support?

strophy · November 30, 2020, 10:44pm

This thread seems to indicate Let's Encrypt and certbot will support RFC 8738 at some point. dehydrated.io and acme.sh do not support it yet. I have been able to verify that uacme, ACME4J and an Ansible plugin support it now, but are there any CAs (other than pebble) that currently implement this standard? I was unable to test ZeroSSL since there is no client with support for both RFC 8738 and External Account Binding (EAB). Buypass is another CA offering free certs over ACME but I got the following response while testing with uacme:

uacme: creating new order at https://api.buypass.com/acme-v02/new-order
uacme: failed to create new order at https://api.buypass.com/acme-v02/new-order
uacme: the server reported the following error:
{
    "type": "urn:ietf:params:acme:error:unsupportedIdentifier",
    "detail": "Identifier type not supported: ip",
    "code": 403,
    "message": "UNSUPPORTED_IDENTIFIER",
    "details": "HTTP 403 Forbidden"
}

Has anyone found any other compatible clients or CAs out there?

_az · December 1, 2020, 12:02am

I don't think ZeroSSL will actually issue IP certificates (at least, not via ACME):

[ ACME ] > post -body='{"identifiers":[{"type":"ip","value":1.1.1.1"}]}' https://acme.zerossl.com/v2/DV90/newOrder
2020/12/01 10:40:34 Sending HTTP POST request to "https://acme.zerossl.com/v2/DV90/newOrder"
{"type":"urn:ietf:params:acme:error:unsupportedIdentifier","status":400,"detail":"IPv4 and IPv6 identifier types are not yet supported"}

strophy · December 1, 2020, 12:11am

Cool, did you manually craft that ACME message to test it for me, or which client is this? Great to see it is the same error as Buypass, they are likely both running boulder or something similar on the backend. I was able to get ZeroSSL to issue IP certs using their REST API, so that (and possibly Buypass, which I will test) seem to be the only option to automate this at the moment?

_az · December 1, 2020, 12:15am

Yeah, I registered a ZeroSSL account using Certbot, then converted the account key from JWK to DER and imported that to acmeshell, where I manually wrote the request. You are right that it's tricky to find a client which supports everything .

That's pretty cool. I bet most people don't know that free IP certs are available.

Looks like they'd be waiting on Sectigo to add RFC8738 to their ACME server.

orangepizza · December 1, 2020, 12:49am

as currently boulder use set of FQDN for store names in database not set of identifiers, and some are hashed, I think start support other type of identifier need to alter table on 10b+ rows. or at when safely drop database and start clean. (like freeze old CA for OCSP and move to different intermediate CA)

github.com

letsencrypt/boulder/blob/main/sa/database.go

package sa

import (
	"database/sql"
	"fmt"

	"github.com/go-gorp/gorp/v3"
	"github.com/go-sql-driver/mysql"

	"github.com/letsencrypt/boulder/core"
	boulderDB "github.com/letsencrypt/boulder/db"
	blog "github.com/letsencrypt/boulder/log"
)

// NewDbMap creates a wrapped root gorp mapping object. Create one of these for
// each database schema you wish to map. Each DbMap contains a list of mapped
// tables. It automatically maps the tables for the primary parts of Boulder
// around the Storage Authority.
func NewDbMap(dbConnect string, maxOpenConns int) (*boulderDB.WrappedMap, error) {
	var err error

This file has been truncated. show original

felixf · December 1, 2020, 6:54am

The Ansible module supports both (More precisely: you need to use the acme_account module to set up the account.)

I'd doubt that ZeroSSL supports IP addresses though (which you found out by now). I would even guess that no CA (also non-ACME CAs) supports automatic IP address validation at all at the moment.

orangepizza · December 1, 2020, 7:03am

it looks like zerossl does sign certificate for ip address. and I don't think setigo runs non-automated cert on zerossl name?

_az · December 1, 2020, 7:16am

It seems that you can create IP certs both with the ZeroSSL REST API (according to strophy) and also using the web interface:

Worked okay for me (though the CNAME method shows up when it doesn't work or make sense).

felixf · December 1, 2020, 12:00pm

That's very interesting. And worrying, seeing that the certificate @orangepizza found is valid for 90 days! IMO that's way to long for an IP address (that hasn't been vetted manually). There are a lot of dial-up services where you get a new IP address every time you connect to the internet, you could use that to get hold of a large amount of certificates for IP addresses you no longer control after maybe even minutes. I hope they have some mechanism which prevents abuse at least for known dial-up IP ranges. And this is ignoring the issues with on-the-fly IP assignment for cloud providers.

(Having a short certificate life-time still has all these problems, but at least it would be limited to say 7 days, and not to 90 days.)

felixf · December 1, 2020, 12:27pm

I tried to obtain a certificate for an IPv4, an IPv6, and both addresses (i.e. three distinct requests) from ZeroSSL with ACME; every one was answered by urn:ietf:params:acme:error:unsupportedIdentifier with detail IPv4 and IPv6 identifier types are not yet supported. (I.e. same result @_az got.)

rmbolger · December 1, 2020, 8:44pm

I just added support for RFC 8738 in the 4x branch of Posh-ACME because why not. It also supports EAB.

ndilieto · December 5, 2020, 12:01pm

As you requested, I implemented EAB in uacme. Please try it when you have a minute.

strophy · December 5, 2020, 11:30pm

Thanks for the quick and high quality work @ndilieto and @rmbolger! I can confirm the current dev branch of uacme supports EAC as required by ZeroSSL, and I can now get the same error as _az above from their ACME API when attempting to use an IPv4 identifier. I'm unable to test Posh-ACME but I'm sure it works great as well, cheers guys!

ndilieto · December 6, 2020, 9:08am

You're welcome. The new EAB feature is now released in uacme 1.6

Neilpang · December 14, 2020, 5:55am

please use the acme.sh "ip" branch to test ip cert:

See: https://github.com/acmesh-official/acme.sh/wiki/ipcert

strophy · December 15, 2020, 6:40pm

I successfully created a ZeroSSL account over ACME but got the following error when trying to issue a cert. Should I use some identifier other than -d to provide an IP address instead of domain? I can't find documentation on how this is supposed to work...

strophy@X250:~/Code/acme.sh$ acme.sh --issue --server zerossl -d 71.198.220.130 -w .
[Tue 15 Dec 2020 10:32:43 PST] Using CA: https://acme.zerossl.com/v2/DV90
[Tue 15 Dec 2020 10:32:43 PST] Creating domain key
[Tue 15 Dec 2020 10:32:43 PST] The domain key is here: /home/strophy/.acme.sh/71.198.220.130/71.198.220.130.key
[Tue 15 Dec 2020 10:32:43 PST] Single domain='71.198.220.130'
[Tue 15 Dec 2020 10:32:43 PST] Getting domain auth token for each domain
[Tue 15 Dec 2020 10:32:45 PST] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"Invalid DNS identifier [71.198.220.130]"}
[Tue 15 Dec 2020 10:32:45 PST] Please add '--debug' or '--log' to check more details.
[Tue 15 Dec 2020 10:32:45 PST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

orangepizza · December 15, 2020, 8:49pm

you should use https://github.com/acmesh-official/acme.sh/tree/ip version of acme.sh, it doesn't merged to main yet.

hebbet · December 15, 2020, 8:57pm

I am using that branch and i get the same error message

orangepizza · December 15, 2020, 9:14pm

when I last checked zerossl didn't issue certificate with IP address with this error

"type":"urn:ietf:params:acme:error:unsupportedIdentifier","status":400,"
detail":"IPv4 and IPv6 identifier types are not yet supported"

Strophy's error says they got ip address in dns identifier so it's techiacally different error

Neilpang · December 16, 2020, 2:17am

zerossl doesn't support ipcert via ACME api yet.