Using other server than LE

pkiguy · July 13, 2018, 1:08pm

Hello,

Would it be possible to support other servers than Let’s Encrypt, but still using ACME protocol?
It would be interesting either for supporting other free CAs such as (Censored by forum members), or to support private instances of Boulder.

From what i understand, it should be fairly easy by modifying:

github.com

webprofusion/certify/blob/development/src/Certify.Providers/ACME/Certes/CertesACMEProvider.cs

using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;
using Certes;
using Certes.Acme;
using Certes.Acme.Resource;
using Certes.Jws;
using Certify.Models;
using Certify.Models.Config;
using Certify.Models.Plugins;
using Certify.Models.Providers;
using Org.BouncyCastle.Crypto.Digests;

namespace Certify.Providers.Certes
{

This file has been truncated. show original

and adding optional possibility to retrieve it e.g. from Windows registry.

Thanks for considering this!

webprofusion · July 14, 2018, 1:20am

Hi, absolutely! I’d love to support more CAs. The request process changed in a few key ways between ACME v1 and v2 and we could probably only support v2 but yes it would be great if we had more CA options.

It’s probably not quite as simple as just changing the API endpoint as each provider doubtless has variation regarding payment/account registration etc but if they are a big enough CA (and likely to stick around) then we’d just build UI to handle that.

It would also be great if renewal errors against LE could automatically fall back to another provider.

pkiguy · July 14, 2018, 9:14am

Actually, it is almost as simple as changing the API endpoint, at least for the examples i’ve given:

(Censored by forum members) ACME connector behaves completely like LE, at least when seen from Certbot. Rates limits are different, but that will only trigger errors on rare occasions, and i don’t think it’s CertifyTheWeb’s responsibility to handle them: CTW should only display them, and let the user decide what to do.
private instances of Boulder will also behave like LE

The only caveat is that Certes embeds LE certificates, you need to call .AddIssuers before retrieving the certificate. See the issuer option there: https://github.com/fszlin/certes/blob/master/src/Certes.Cli/Commands/CertificatePfxCommand.cs

pkiguy · July 15, 2018, 9:42am

I submitted a tentative patch for it, issue #339

pkiguy · July 15, 2018, 11:30am

My posts were flagged as “SPAM”. I don’t understand why… Maybe someone could explain?

webprofusion · July 16, 2018, 3:29am

Hi, the forum app is Discourse and new users apparently get their posts flagged if spam if they link to the same site a few times (github). Unflagged those now.