You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The integration of acme-client allows for support of Let's Encrypt and other providers. However one of those other providers (ZeroSSL) has recently been requiring External Account Binding (EAB) of its users.
Without the support of EAB its unable to issue or renew certificates and attempts to do so result in an error in a log as well as an incomplete certificate.
Jul 29 15:33:59 xoa xo-server[3893]: 2024-07-29T19:33:59.287Z xo:mixins:sslCertificate WARN couldn't renew ssl certificate {
Jul 29 15:33:59 xoa xo-server[3893]: acmeDomain: 'www.mydomain.com',
Jul 29 15:33:59 xoa xo-server[3893]: error: Error: The request must include a value for the "externalAccountBinding" field
To reproduce
Deploy the latest master or XOA on latest update of the "Latest Channel"
Configure and enable the Let's Encrypt (acme-client). For configuring the provider select "zerossl/production".
Attempt to obtain or renew a certificate
Check the log journal of the XOA looking for the above error
Expected behavior
The expected behaviour of the integration when using ZeroSSL is for it to be able to request or renew a TLS Certificate. Without any errors about External Account Binding details.
Screenshots
No response
Node
20.16.0
Hypervisor
XCP-ng 8.2.1
Additional context
This issue will hit all users of Xen Orchestra its integration of acme-client and the ZeroSSL Certificate Authority. The issue can be corrected by updating the acme-client npm to the version of 5.4.0 and introducing support in the configuration file and/or in the integration plugin support for specifying the EAB credentials.
MrGrymReaper
changed the title
Update acme-client npm and introduce support for External Account Binding (EAB)
xo-server fix: Update acme-client npm and introduce support for External Account Binding (EAB)
Jul 30, 2024
Are you using XOA or XO from the sources?
XOA
Which release channel?
latest
Provide your commit number
No response
Describe the bug
The integration of acme-client allows for support of Let's Encrypt and other providers. However one of those other providers (ZeroSSL) has recently been requiring External Account Binding (EAB) of its users.
Without the support of EAB its unable to issue or renew certificates and attempts to do so result in an error in a log as well as an incomplete certificate.
https://zerossl.com/documentation/acme/
Error message
To reproduce
Expected behavior
The expected behaviour of the integration when using ZeroSSL is for it to be able to request or renew a TLS Certificate. Without any errors about External Account Binding details.
Screenshots
No response
Node
20.16.0
Hypervisor
XCP-ng 8.2.1
Additional context
This issue will hit all users of Xen Orchestra its integration of acme-client and the ZeroSSL Certificate Authority. The issue can be corrected by updating the acme-client npm to the version of 5.4.0 and introducing support in the configuration file and/or in the integration plugin support for specifying the EAB credentials.
The issue is related to the following post on the forums: https://xcp-ng.org/forum/topic/9433/xoa-letsencrpyt-module-not-setting-acmedomain/13
The text was updated successfully, but these errors were encountered: