Comments (8)
Got info back from ZeroSSL support:
Regarding ACME - it's currently limited to 90-day certificates. 1-year certificates cannot be issued via ACME.
from posh-acme.
Hi @TiloGit, thanks for reaching out. The information is coming from explicit testing I've done against the free ACME CAs. At the time I last tested, that particular feature which allows for sending a notBefore
and notAfter
value with a new order request was only supported by Google's CA.
I'm not sure about ZeroSSL, but for some of the other commercial CAs, there are different ACME endpoints for different products. Is there any documentation about using ACME for non-free certs from ZeroSSL? Or do you have to use their custom API instead of ACME?
from posh-acme.
Thx for the quick reply.
The ZeroSSL ACME documentation is pretty "lean", nothing substantial https://zerossl.com/documentation/acme/
I got a support ticket open and keep you posted.
from posh-acme.
so far nothing out of ZeroSSL support or GH ticket. ZeroSSL gives same response with acme.sh, so it's not related to the PS script (zerossl/zerossl-bot#41)
btw google allowed max 90 days cert (2184h),
{
"detail": "Certificate lifetime: 8760h59m59.833192353s must not exceed the maximum allowed lifetime: 2184h",
"requestID": "Xb--removed---7w",
"type": "urn:ietf:params:acme:error:malformed"
}
and google didn't allow to start the 90 days later, (here try with --valid-from "+15d"
acme.sh script
{
"detail": "Requested NotBefore timestamp: 2024-01-20T20:26:13+00:00 must be within [2024-01-05T18:26:15.139817746+00:00, 2024-01-05T20:26:15.139817746+00:00].",
"requestID": "U5M--revmoed--edg",
"type": "urn:ietf:params:acme:error:malformed"
}
from posh-acme.
That's actually really interesting that acme.sh doesn't work either because I thought it the ZeroSSL API instead of ACME by default now. And if anything, I would've thought their direct API would work.
But yeah, the lifetime limits on Google are still the same despite allowing for variable lifetimes. I think the intention with the feature was to make it easier to offer shorter than the default lifetimes because certain CA requirements change after you get under a certain lifetime threshold.
from posh-acme.
Out of curiosity and since you seem to be pretty confident in your ACME usage so far. Why the need for longer than 90 day certs? Are you not able to automate renewals?
from posh-acme.
we can automated the cert stuff on our end but the other end wants to do cert pinning so we like to use certs with longer lifetime.
I might settle on https://www.buypass.com/ as it has 180 days.
Btw ZeroSSL works totally fine on 90days cert. Just can't use ACME for 365 days cert on ZeroSSL it seems.
from posh-acme.
Well that's lame of them.
from posh-acme.
Related Issues (20)
- Trying to use ZeroSSL HOT 4
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- Pull cert into local certificate store using FQDN and Subsequent renew HOT 5
- CmdLets Repeatedly asking for DNS Text Records HOT 3
- Running "Get-PACertificate" can cause a long stream of errors HOT 4
- OVH plugin is not compatible with PowerShell 5.1
- DNSimple Plugin not removing dns challange HOT 3
- DNSimple Plugin regression HOT 3
- DNSPod Argument Names HOT 3
- Gandi API change HOT 3
- Question - Problems loading bouncy castle HOT 6
- NameCom plugin - Domain not found HOT 8
- Plugin request: Scaleway.com/Online.net HOT 10
- How do you check for current installed version of Posh-ACME client and how do you upgrade the Posh-ACME client HOT 3
- Cannot indicate an order replaces certificate with serial <code>, which already has a replacement order HOT 4
- Submit-Renewal throws errors checking ARI on certs with no AKI HOT 3
- Azure IMDS authentication doesn't work on Arc-enabled servers HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.