Netgate SG-1000 microFirewall

Author Topic: ACME Package for ACME v2 coming  (Read 851 times)

0 Members and 2 Guests are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
ACME Package for ACME v2 coming
« on: February 07, 2018, 10:54:02 am »
I am working on getting the ACME package ready for the launch of ACME v2 later this month. I have synchronized the code in the devel branch for 2.4.3 snapshots but not for other versions yet. It won't show up until the next snapshot run. Look for ACME package version 0.2.0.1.

For users of existing certificates, not much will change, but it's good to make sure existing certificates still renew properly, and that new certificates on the v1 servers work as expected.

You cannot create a trusted wildcard certificate yet because Let's Encrypt does not have production ACME v2 servers online until later this month. The staging server is up, and you can use those to ensure that your validation is working properly for when the production servers go live.


Updates include

* acme.sh updated to support ACME v2
* Wildcard domain support
  * EXPERIMENTAL!! This requires ACME v2 and ONLY the staging server is online right now. Use for testing only.
* ACME v2 server URLs added to Account Key options
  * EXPERIMENTAL!! ONLY the staging server is online right now. Use for testing only. Let's Encrypt is launching this service for production use later this month.
* E-Mail Address support added to Account Key options (Let's Encrypt -- NOT this package -- will send you an e-mail if your certificate is expiring and hasn't been renewed)
* Misc bug fixes

New Providers:
* AutoDNS (InternetX)
* Azure (Microsoft)
* Namesilo
* Selectel

Providers with updates/bug fixes:
* AWS
* Cloudflare
* INWX
* ISPConfig
* OVH
* Yandex


Creating a Wildcard certificate

Wildcard certificates require ACME v2 and a DNS-based validation method. They cannot be used with other modes (e.g. standalone, webroot, webroot ftp, haproxy integration, etc).

To make a wildcard certificate, you must validate for the base domain of the wildcard. For example: To make a wildcard certificate for "*.example.com", you must be able to update the TXT record for _acme-challenge.example.com. A common practice is to setup a certificate that contains example.com and *.example.com domains and use the same update method for both.

Special note for nsupdate/RFC2136: Set the Key Name to example.com in this case
« Last Edit: February 07, 2018, 11:24:18 am by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!