How to add EAB Credentials when using ZeroSSL

Hello,

I believe the registration is identified by an email address used in DirectAdmin by admin and is stored in

Code: 
/usr/local/directadmin/data/.lego/accounts/acme.zerossl.com/<ADMIN_EMAIL_ACCOUNT>/account.json

and matches the one in :

Bash: 
grep ^email= /usr/local/directadmin/data/users/$(da a)/user.conf
 
Thank you, but I don't think this is the case.
I registered an account with ZeroSSL using the admin email address, but there seems to be no relation.

When I look at the Lego options documentation on: https://go-acme.github.io/lego/usage/cli/options/index.html I see the following parameter:
--eab: Use External Account Binding for account registration. Requires --kid and --hmac.

Is there any way I can set these additional parameters?
 
easytrans said:
Is there any way I can set these additional parameters?
Click to expand...

You will need to copy /usr/local/directadmin/scripts/letsencrypt.sh in the folder /usr/local/directadmin/scripts/custom/ and update /usr/local/directadmin/scripts/custom/letsencrypt.sh with new flags

I believe this is the line, that you will need to update:

Code: 
/usr/local/bin/lego "${args[@]}" run --no-bundle --preferred-chain="ISRG Root X1"

When using cli, you will need to explicitly run /usr/local/directadmin/scripts/custom/letsencrypt.sh, DirectAdmin binary will use the custom version of the script without a need in additional settings.
 
Hello,
In order to provide EAB credential in ZeroSSL, go to your SSL client and then enter the Key ID and HMAC Key taken from the ZeroSSL dashboard. Example: --eab-kid YOUR_KEY_ID --eab-hmac-key YOUR_HMAC_KEY. These can be located in your API settings.

Thank you
 
emersonmyles said:
SSL client and then enter the Key ID and HMAC Key taken fro
Click to expand...

zEitEr said:
You will need to copy /usr/local/directadmin/scripts/letsencrypt.sh in the folder /usr/local/directadmin/scripts/custom/ and update /usr/local/directadmin/scripts/custom/letsencrypt.sh with new flags

I believe this is the line, that you will need to update:

Code: 
/usr/local/bin/lego "${args[@]}" run --no-bundle --preferred-chain="ISRG Root X1"

When using cli, you will need to explicitly run /usr/local/directadmin/scripts/custom/letsencrypt.sh, DirectAdmin binary will use the custom version of the script without a need in additional settings.
Click to expand...
Thank you for the info. I have added letsencrypt.sh to /usr/local/directadmin/scripts/custom and updated the line as follows:
/usr/local/bin/lego "${args[@]}" --eab --kid="xxx" --hmac="xxx" run --no-bundle --preferred-chain="ISRG Root X1"

However, when I click renew under Admin->Server manager->Server TLS certificate, the response message still starts with:
exec ["/usr/local/bin/lego" "--accept-tos" "--email=xxx" "--key-type=ec256" "--server=https://acme.zerossl.com/v2/DV90" "--path=/usr/local/directadmin/data/.lego" "--http" "--http.webroot=/var/www/html" "--domains=xxx" "run" "--no-bundle" "--preferred-chain=ISRG Root X1"]

So looks like the custom script is not used here. Is the custom script also for the admin lever or only user level?
 
easytrans said:
So looks like the custom script is not used here. Is the custom script also for the admin lever or only user level?
Click to expand...

I did not find anything regarding this in https://docs.directadmin.com/ for the exception of https://docs.directadmin.com/changelog/version-1.51.0.html#custombuild-to-manage-letsencrypt-sh

Probably it was a nondocumented feature, which is now dropped. Or it might be an ongoing bug.

Anyway you might try and use a PRE hook "letsencrypt_pre.sh" https://docs.directadmin.com/developer/hooks/ssl_letsencrypt.html:

1. you might use the PRE hook to call a custom script "/usr/local/directadmin/scripts/custom/letsencrypt.sh"
2. you might use the PRE hook to patch the existing script "/usr/local/directadmin/scripts/letsencrypt.sh" by adding your custom flags
 
You must log in or register to reply here.
Back
Top