-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support getting certificates from buypass.com #515
Labels
Comments
@timkimber I am still waiting for buypass support! @fds242 Is your solution still working? can you perhaps share a link to your /directory mirror? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With its ACMEv2 support, getssl is already most of the way there to work with buypass.com, another CA supporting ACME and free certificates. While Let's Encrypt has proven very reliable, it never hurts to have a backup, does it?
Changing only a few things around I was able to make it work.
There are three issues.
A) Buypass's /directory JSON is not pretty-printed like Let's Encrypt's, it's all in one line.
Either the true JSON parsing code should be used for gathering the API endpoints, or maybe just auto-inserting a line break after any comma would do, before it gets to grep.
B) Their directory lists both ACMEv1 and ACMEv2 endpoints at the same time, but getssl really only functions with their v2 API. Unfortunately, currently when getssl sees both ACMEv2 and ACMEv1 available, it prefers v1. I believe that preference should be reversed regardless of CA.
C) Once your account has been registered, buypass's newAccount endpoint doesn't return a body. That's okay because all the necessary information was in the HTTP headers, however, there's an unnecessary check to refuse an empty body that stops getssl from proceeding. Had to remove that
error_exit "ERROR curl \"$url\" returned nothing"
check. Is this now occurring with Let's Encrypt too, as #511 seems to imply?To work around A) and B) I simply mirrored their /directory onto my server, added line breaks, and removed the ACMEv1 endpoints, and finally pointed getssl at my edited copy instead.
{ "meta":{ "website":"https://buypass.com/", "caa-identities": [ "buypass.com" ], "terms-of-service":"https://api.buypass.com/acme/terms/750" }, "newNonce":"https://api.buypass.com/acme-v02/new-nonce", "newAccount":"https://api.buypass.com/acme-v02/new-acct", "newAuthz":"https://api.buypass.com/acme-v02/new-authz", "newOrder":"https://api.buypass.com/acme-v02/new-order", "revokeCert":"https://api.buypass.com/acme-v02/revoke-cert", "keyChange":"https://api.buypass.com/acme-v02/key-change" }
That's really all that was required to make getting a free certificate from buypass with the current version of getssl work.
Beyond that, you only need to make sure you stay within buypass's stricter limitations. Only one domain per certificate (don't add a list of SANs, get separate certs). Plus if you want an EC cert, the algo must be
prime256v1
. They don't supportsecp384r1
like Let's Encrypt does.The text was updated successfully, but these errors were encountered: