Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xo-server fix: Update acme-client npm and introduce support for External Account Binding (EAB) #7884

Open
MrGrymReaper opened this issue Jul 30, 2024 · 0 comments

Comments

@MrGrymReaper
Copy link
Contributor

MrGrymReaper commented Jul 30, 2024

Are you using XOA or XO from the sources?

XOA

Which release channel?

latest

Provide your commit number

No response

Describe the bug

The integration of acme-client allows for support of Let's Encrypt and other providers. However one of those other providers (ZeroSSL) has recently been requiring External Account Binding (EAB) of its users.

Without the support of EAB its unable to issue or renew certificates and attempts to do so result in an error in a log as well as an incomplete certificate.

https://zerossl.com/documentation/acme/

Error message

Jul 29 15:33:59 xoa xo-server[3893]: 2024-07-29T19:33:59.287Z xo:mixins:sslCertificate WARN couldn't renew ssl certificate {
Jul 29 15:33:59 xoa xo-server[3893]:   acmeDomain: 'www.mydomain.com',
Jul 29 15:33:59 xoa xo-server[3893]:   error: Error: The request must include a value for the "externalAccountBinding" field

To reproduce

  1. Deploy the latest master or XOA on latest update of the "Latest Channel"
  2. Configure and enable the Let's Encrypt (acme-client). For configuring the provider select "zerossl/production".
  3. Attempt to obtain or renew a certificate
  4. Check the log journal of the XOA looking for the above error

Expected behavior

The expected behaviour of the integration when using ZeroSSL is for it to be able to request or renew a TLS Certificate. Without any errors about External Account Binding details.

Screenshots

No response

Node

20.16.0

Hypervisor

XCP-ng 8.2.1

Additional context

This issue will hit all users of Xen Orchestra its integration of acme-client and the ZeroSSL Certificate Authority. The issue can be corrected by updating the acme-client npm to the version of 5.4.0 and introducing support in the configuration file and/or in the integration plugin support for specifying the EAB credentials.

The issue is related to the following post on the forums: https://xcp-ng.org/forum/topic/9433/xoa-letsencrpyt-module-not-setting-acmedomain/13

@MrGrymReaper MrGrymReaper changed the title Update acme-client npm and introduce support for External Account Binding (EAB) xo-server fix: Update acme-client npm and introduce support for External Account Binding (EAB) Jul 30, 2024
@julien-f julien-f self-assigned this Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants