Management hub and acme.sh

Question
1

hello
i’m verry interested in the management hub functionality
however i’m a bit lost on how to set it up.
i’m trying to use it with acme.sh but it seems i cant find how to configure acme.sh on how to use the management hub.
or even how to setup any other client to use the management hub

do you have any examples on this?

2

Can you elaborate on what you are trying to get it to do and how far you’ve got?

There’s quite a few combinations possible:

  • Just using Management Hub on it’s own as a certificate manager (not using acme.sh)
  • Using Management Hub with Certify Management Agent installed on another machine (this provides the “glue” back to the hub and can also experimentally provide basic reporting on acme.sh renewals etc).
  • Using the Management Hub on the same machine where acme.sh is installed.
  • Using management hub as an ACME server with your chosen acme client (experimental)
3

it’s the last option we are interested in.
we have quite a lot of servers that run acme.sh with some customized deployhooks. but we do not want to give them all access to our dns server.
so we are looking into a way to use acme.sh but point it towards something internal.
is a setup like this possible with the management hub? and how would one setup up something like this?

4

Yes, our most recent release has an experimental ACME server as part of the API, to use that:

  • first setup a managed challenge configuration for your domain(s), and you can test that by order a cert directly on hub
  • configure EAB credentials in the hub for your client to use (each set is one-time-use, so you can for instance name them after the servers that will use them)
  • configure your ACME client of choice with <https://your hub API url/acme/directory as the CA, using EAB credentials
  • When you perform an order in your acme client the hub will perform an order in the background for a temporary managed certificate, answering DNS challenges that match the managed challenges, then finalize the order using the CSR provided by your client, it will let the client download the final cert then dispose of the temporary managed certificate in the hub.

In addition we plan to eventually offer Managed Challenge plugins/scripts for popular acme clients so they can directly use the “managed challenge” feature (so still order their cert directly for the CA, but have the hub perform DNS challenges in their behalf).

For some clients like acme.sh this involves either having a patch approved for the official acme.sh repository, or using a custom DNS challenge script.

Based on DNS API Dev Guide · acmesh-official/acme.sh Wiki · GitHub that looks quite easy so if you get your hub setup and managed challenges working and want to test using managed challenges let us know and we can give you a managed challenge dns script to test.

5

i have been able to register my acme.sh as a client.
so yes very interested in the dns script
so if you coudl provide the script i we will test it

1 Like
6

Thanks, if acme.sh is registered as client for the hub ACME service then you can go ahead and try to issue certificates via that.

The DNS script is only needed to directly use managed challenges in the hub (when not using the hub as an ACME server) but I’ll let you know when that as been developed also.

7

so the register works
then in acme.sh i request a cert
this request i can find in the hub but it gives following error in the hub :

Certificate request paused, waiting for custom CSR to be provided using finalize.

when i select request certificate in the hub i get then the following error:

A certificate order requires one or more identifiers/domains to be included on the certificate.

also i think acme.sh requires some kind of valididation method

looking at the doc : Managed Challenges | Certify The Web Docs
i should select dns validation but i don’t know what’s required there

i also tried with the certify certificate manager and adding the hub as a ca but there it fails to register the contact with: failed to register account with certificate authority : object reference not set to an instance of an object

8

Start by following this guide to get a cert using the hub only:

Once that works you can setup a managed challenge (with the domain match rule set e.g. *.yourdomain.com) using the same DNS credentials you used in the first certificate.

What you’re aiming to do involves lots of moving parts so get a basic cert working in the hub first.

9

ok
so what works now:
i can request a cert in the hub using the managed challenge. and this works.
so indeed lot’s of moving parts.

so i can request a cert using acme.sh using the acme directory in the hub.
acme.sh requires a dns validation.
so what i need next i think is a dns plugin for acme.sh that calls the managed challenge api

10

Have you tried setting up a managed challenge config in the hub for your domain? It’s much the same as the DNS authorization config in a managed certificate in the hub, but it’s designed to be shared.

If so, the acme.sh request against the hub should use that managed challenge automatically. If it’s not doing that and you think it should be we’d need to know the configuration etc so we can replicate the problem, ideally we’d get a copy of all the log. Are you hosting the hub on Windows or linux?

11

Just as an aside, you’re probably the only person in the world outside of our organisation who as used the new ACME service feature (that I’ve heard about), so it’s impressive you’ve gotten this far.

12

i can provide logs & config, but prefer to send them in private. is there a way to send direct message or email?
i can elaborate more on our usecase

13

Yes, please send an email with the details to support at certifytheweb.com and I’ll see that there.