Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Acme updates -- Allow for External Account Binding #253

Merged
merged 2 commits into from
Jan 13, 2023

Conversation

misilot
Copy link
Contributor

@misilot misilot commented Apr 21, 2022

Adds support for External Account Binding with ACME

Allows for the support of External Account Binding to request SSL Certificates through a provider that supports EAB and ACME.

Some example providers include InCommon and ZeroSSL

I also exposed the TRAEFIK_LOG_LEVEL in the sample.env instead of hiding it.

Possible test plan:

Ensure existing setups still work:

  1. Merge code
  2. remove acme directory if it already exists
  3. run make -B docker-compose.yml
  4. run make up
  5. Visit website, and ensure have an SSL cert from Let's Encrypt that is valid starting from date tested (should expire in 90 days)

Ensure new SSL Certificate from an ACME provider with an External Account Binding (EAB)works

  1. Merge code
  2. remove acme directory if it already exists
  3. Add in valid values for ACME_SERVER, ACME_EAB_KID, ACME_EAB_HMAC
  4. run make -B docker-compose.yml
  5. run make up
  6. Visit website, and ensure have an SSL cert from your SSL provider that is valid starting from date tested

For more info about EAB from Traefik please visit https://doc.traefik.io/traefik/https/acme/#external-account-binding

For some info about EAB and ACME from ZeroSSL please see https://zerossl.com/documentation/acme/ ... I have an Incommon account, so I did not look into ZeroSSL, but assuming it is a similar setup??

Related Tickets

#253 (Merged)
#252
Islandora/documentation#2096

@misilot
Copy link
Contributor Author

misilot commented May 5, 2022

Directions for testing using a ZeroSSL Account. This assumes your server is web accessible from the general internet, and a valid domain resolves. If using AWS, I assume you can use the ec2 address that is automatically provisioned without having a custom domain name.

  1. Apply patch for Acme updates -- Allow for External Account Binding #253 first.
  2. Register for Account at zerossl.com
  3. Go to https://app.zerossl.com/developer and Generate EAB credentials at bottom of page.
  4. Save KID and HMAC values
  5. Update .env file with the following values ACME_EAB_KID=, ACME_EAB_HMAC=, DOMAIN=, and ACME_SERVER=https://acme.zerossl.com/v2/DV90
  6. Run make -B docker-compose.yml
  7. Run make up
  8. Go to website and verify you have a valid SSL certificate issues from ZeroSSL.

@misilot misilot force-pushed the acme-updates branch 2 times, most recently from d072ce8 to 4f51e3b Compare May 17, 2022 21:46
@misilot misilot force-pushed the acme-updates branch 2 times, most recently from e4cdcdd to 9106f8e Compare June 1, 2022 17:23
@DonRichards
Copy link
Member

Having difficulty registering a domain with zerossl.com

Allows for the support of External Account Binding to request SSL
Certificates through a provider that supports EAB and ACME.

Add's support for specifying the Key Type via the ACME_KEY_TYPE
variable. Defaults to RSA4096 (Traefik's Default)

Some example providers include InCommon and ZeroSSL
Instead of hiding it in the documentation and in the
docker-compose.acme.yml and docker-compose.traefik.yml files, adding it
to the sample.env file
@misilot
Copy link
Contributor Author

misilot commented Dec 1, 2022

Just curious if there is any chance of getting this merged "as-is", since it should be a no-op for those that don't use it?

@DonRichards DonRichards merged commit 3b0a730 into Islandora-Devops:development Jan 13, 2023
@misilot
Copy link
Contributor Author

misilot commented Jan 13, 2023

Thank you @DonRichards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants