Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support getting certificates from buypass.com #515

Open
fds242 opened this issue Feb 21, 2020 · 2 comments
Open

Support getting certificates from buypass.com #515

fds242 opened this issue Feb 21, 2020 · 2 comments
Assignees
@timkimber
Labels
enhancement

Comments

@fds242
Copy link

fds242 commented Feb 21, 2020
edited
Loading

With its ACMEv2 support, getssl is already most of the way there to work with buypass.com, another CA supporting ACME and free certificates. While Let's Encrypt has proven very reliable, it never hurts to have a backup, does it?

Changing only a few things around I was able to make it work.
There are three issues.

A) Buypass's /directory JSON is not pretty-printed like Let's Encrypt's, it's all in one line.
Either the true JSON parsing code should be used for gathering the API endpoints, or maybe just auto-inserting a line break after any comma would do, before it gets to grep.

B) Their directory lists both ACMEv1 and ACMEv2 endpoints at the same time, but getssl really only functions with their v2 API. Unfortunately, currently when getssl sees both ACMEv2 and ACMEv1 available, it prefers v1. I believe that preference should be reversed regardless of CA.

C) Once your account has been registered, buypass's newAccount endpoint doesn't return a body. That's okay because all the necessary information was in the HTTP headers, however, there's an unnecessary check to refuse an empty body that stops getssl from proceeding. Had to remove that error_exit "ERROR curl \"$url\" returned nothing" check. Is this now occurring with Let's Encrypt too, as #511 seems to imply?

To work around A) and B) I simply mirrored their /directory onto my server, added line breaks, and removed the ACMEv1 endpoints, and finally pointed getssl at my edited copy instead.
{ "meta":{ "website":"https://buypass.com/", "caa-identities": [ "buypass.com" ], "terms-of-service":"https://api.buypass.com/acme/terms/750" }, "newNonce":"https://api.buypass.com/acme-v02/new-nonce", "newAccount":"https://api.buypass.com/acme-v02/new-acct", "newAuthz":"https://api.buypass.com/acme-v02/new-authz", "newOrder":"https://api.buypass.com/acme-v02/new-order", "revokeCert":"https://api.buypass.com/acme-v02/revoke-cert", "keyChange":"https://api.buypass.com/acme-v02/key-change" }

That's really all that was required to make getting a free certificate from buypass with the current version of getssl work.
Beyond that, you only need to make sure you stay within buypass's stricter limitations. Only one domain per certificate (don't add a list of SANs, get separate certs). Plus if you want an EC cert, the algo must be prime256v1. They don't support secp384r1 like Let's Encrypt does.
@timkimber timkimber self-assigned this Feb 22, 2020
@timkimber
Copy link
Member

Hi @fds242, it looks like you've done the majority of the work towards adding support! I'll add support after I've done #509

@CasualRascal
Copy link

@timkimber I am still waiting for buypass support!

@fds242 Is your solution still working? can you perhaps share a link to your /directory mirror?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timkimber timkimber

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fds242 @timkimber @CasualRascal