Comments (4)
Hi @marcovanbeek, thanks for reaching out. This guide on external account binding will probably help. But I'll try to explain here as well.
https://poshac.me/docs/v4/Guides/External-Account-Binding/
Essentially, ACME orders are tied to a specific ACME account and the account is tied to a specific ACME server. So when you're switching providers from Let's Encrypt to ZeroSSL, you first have to create a new account which is where you specify the EAB credentials. Once you have that account setup, you create a new certificate/order with that account active. So effectively, the order of operations is:
Set-PAServer ZEROSSL_PROD
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact '[email protected]' -AcceptTOS
New-PACertificate example.com <etc>
as they need to be root certificates, I have to use DNS validation
Certificates on a domain/zone apex shouldn't require DNS validation unless you're trying to also get a wildcard cert for that apex. For non-wildcards, the HTTP challenge will work as long as the webserver(s) the apex points to can host the HTTP validation file.
from posh-acme.
Hi,
Yes, I tried all that, and I still get the error. I am going to wipe the existing data and try again, but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument?
I'll let you know / post errors after I restart the process from scratch.
BTW for 365 Hybrid connector you need a domain root certificate and you are never doing this from a server that maps back to the apex of the domain, as the Windows server is on-premises. You are basically linking an Active Directory system and Exchange server(s) with the AD in Azure and Exchange On-Line. Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS.
from posh-acme.
Okay. so I deleted all my existing config and just did those three steps, and that worked. I compared the old and new config and the only major difference was the LE_PROD directory from my earlier tests, so I will have a play around to see if I can break it and let you know.
from posh-acme.
but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument?
It will use the active account on the active server unless either of the following are true.
- The
-DirectoryUrl
param is specified and doesn't match the active server - The
-AccountKeyLength
or-Contact
params are specified and don't match the current account- In this case, it will try to find an account that matches and use that. But if none match, it will attempt to create a new one (which in retrospect won't work for providers that require EAB and end up throwing an error).
So basically, it will always use the active account if none of those 3 parameters are specified.
Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS.
Gotcha. Just wanted to make sure you weren't operating under false assumptions. DNS validation definitely sounds like the easier path forward. I actually prefer it, personally.
from posh-acme.
Related Issues (20)
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- Pull cert into local certificate store using FQDN and Subsequent renew HOT 5
- CmdLets Repeatedly asking for DNS Text Records HOT 3
- Running "Get-PACertificate" can cause a long stream of errors HOT 4
- OVH plugin is not compatible with PowerShell 5.1
- DNSimple Plugin not removing dns challange HOT 3
- DNSimple Plugin regression HOT 3
- DNSPod Argument Names HOT 3
- Gandi API change HOT 3
- Question - Problems loading bouncy castle HOT 6
- NameCom plugin - Domain not found HOT 8
- Plugin request: Scaleway.com/Online.net HOT 10
- How do you check for current installed version of Posh-ACME client and how do you upgrade the Posh-ACME client HOT 3
- Cannot indicate an order replaces certificate with serial <code>, which already has a replacement order HOT 4
- Submit-Renewal throws errors checking ARI on certs with no AKI HOT 3
- Azure IMDS authentication doesn't work on Arc-enabled servers HOT 17
- Feature Request: Add DNS Plugin Support for dynv6 in Posh-ACME HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.