Custom ACME endpoint with authentication?

adlib · March 31, 2020, 11:14am

1. My Caddy version (`caddy version`):

v1.0.3

2. How I run Caddy:

a. System environment:

LSB Version:	:core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:	CentOS
Description:	CentOS Linux release 7.7.1908 (Core)
Release:	7.7.1908
Codename:	Core

b. Command:

caddy -conf /path/to/caddy.conf

c. Service/unit/compose file:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          caddy
# Required-Start:    $local_fs $network $named $time $syslog
# Required-Stop:     $local_fs $network $named $time $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the caddy web server
# Description:       starts caddy using start-stop-daemon
### END INIT INFO

# Original Author: Frédéric Galusik (fredg)
# Maintainer: Daniel van Dorp (djvdorp)

DESC="the caddy web server"
NAME=caddy
DAEMON=/usr/local/bin/caddy

DAEMONUSER=www-data
PIDFILE=/var/run/$NAME.pid
LOGFILE=/var/log/$NAME.log
CONFIGFILE=/etc/caddy/Caddyfile

USERBIND="setcap cap_net_bind_service=+ep"
STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
CADDYPATH=/etc/ssl/caddy
ULIMIT=8192

test -x $DAEMON || exit 0

# allow overwriting variables
#   Debian based
[ -e "/etc/default/caddy" ] && . /etc/default/caddy
#   CentOS based
[ -e "/etc/sysconfig/caddy" ] && . /etc/sysconfig/caddy

if [ -z "$DAEMONOPTS" ]; then
    # daemon options
    DAEMONOPTS="-agree=true -log=$LOGFILE -conf=$CONFIGFILE"
fi

# Set the CADDYPATH; Let's Encrypt certificates will be written to this directory.
export CADDYPATH

# Set the ulimits
ulimit -n ${ULIMIT}


start() {
    $USERBIND $DAEMON
    touch $LOGFILE && chown $DAEMONUSER $LOGFILE
    start-stop-daemon --start --quiet --make-pidfile --pidfile $PIDFILE \
        --background --chuid $DAEMONUSER --oknodo --exec $DAEMON -- $DAEMONOPTS
}

stop() {
    start-stop-daemon --stop --quiet --pidfile $PIDFILE --retry=$STOP_SCHEDULE \
        --name $NAME --oknodo
    rm -f $PIDFILE
}

reload() {
    start-stop-daemon --stop --quiet --signal USR1 --pidfile $PIDFILE \
        --name $NAME
}

status() {
    if [ -f $PIDFILE ]; then
        if kill -0 $(cat "$PIDFILE"); then
            echo "$NAME is running"
        else
            echo "$NAME process is dead, but pidfile exists"
        fi
    else
        echo "$NAME is not running"
    fi
}

case "$1" in
    start)
        echo "Starting $NAME"
        start
    ;;
    stop)
        echo "Stopping $NAME"
        stop
    ;;
    restart)
        echo "Restarting $NAME"
        stop
        start
    ;;
    reload)
        echo "Reloading $NAME configuration"
        reload
    ;;
    status)
        status
    ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload|status}"
        exit 2
    ;;
esac

exit 0

d. My complete Caddyfile or JSON config:

<redacted> {
	gzip
	root <redacted>
	browse
	tls {
		clients "/var/www/certs/<redacted>.pem"
		ca <redacted | acme endpoint url>
	}
	log /var/log/caddy.access.log {
		rotate_size 10
		rotate_keep 3
		rotate_compress
	}
	errors /var/log/caddy.errors.log {
		rotate_size 10
		rotate_keep 3
		rotate_compress
	}
}

3. The problem I’m having:

I’m trying to use the ACME endpoint from our certificate provider Sectigo.

4. Error messages and/or full log output:

Activating privacy features... 
Your sites will be served over HTTPS automatically using Let's Encrypt.
By continuing, you agree to the Let's Encrypt Subscriber Agreement at:
  https://secure.trust-provider.com/repository/docs/Legacy/20181101_CertificateSubscriberAgreement_v_2_1_click.html
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don't recommend it.
  Email address: <redacted>        
2020/03/31 12:37:18 [INFO] acme: Registering account for <redacted>
2020/03/31 12:37:18 [INFO] acme: Registering account for <redacted>
2020/03/31 12:37:18 [INFO] acme: Registering account for <redacted>
2020/03/31 12:37:18 registration error: acme: error: 0 :: POST :: https://acme.sectigo.com/v2/OV/newAccount :: urn:ietf:params:acme:error:externalAccountRequired :: The request must include a value for the "externalAccountBinding" field, url:

5. What I already tried:

I haven’t tried so many different things yet. I have an account ID and a HMAC key that I suppose I should use for some kind of authentication with the ACME endpoint, but I have no idea on how to provide these bits of information with Caddy. Anyone got any insight in to an issue like this?
Thanks!

matt · April 1, 2020, 2:46am

You’re the first request we’ve had for this! I’ll see about implementing this – no guarantee on timeline though. Would you be willing to try experimental builds of Caddy 2 with this feature?

matt · April 1, 2020, 3:10am

@adlib Actually this was easier than I thought. Will you please give it a try? This commit will have build artifacts you can download momentarily: caddytls: Add support for externalAccountBinding ACME extension · caddyserver/caddy@9fb0b1e · GitHub

This is Caddy v2. You’ll have to use the JSON config to specify your key ID and hmac for now. It’s very easy to add this; in your acme issuer module, simply add this field:

"external_account": {
    "key_id": "",
    "hmac": ""
}

but with your key ID and base64-encoded HMAC filled in, of course.

adlib · April 2, 2020, 8:27am

Interesting, and thanks for your reply! I wasn’t expecting to be the first
I’ve been using v1 for quite a while and grown accustomed to it to such a degree that I’ve put off looking into v2 which I understand is a major improvement, but also quite different in its codebase.
I’ll look into testing these things with v2 instead, since I guess there isn’t much motivating the required code changes in v1
Thanks again!

adlib · April 2, 2020, 9:44am

Also, is the lastest pre-release build (v2.0.0-beta.20) incorporated with these changes? Or am I forced to build something myself?
Sorry, I’m a little new to this.

francislavoie · April 2, 2020, 1:05pm

beta 20 does not have that code. Instead, you can go to the linked commit, click on the green checkmark next to the commit message, and click details. This will bring you to the CI run. From there you can download the build artifacts, i.e. a build of Caddy at that commit.

Edit: If clicking the checkmark doesn’t work for you (could’ve sworn it worked on desktop but it didn’t work for me just now on mobile), the direct link to the CI run is caddytls: Add support for externalAccountBinding ACME extension · caddyserver/caddy@9fb0b1e · GitHub

system · May 2, 2020, 1:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.