RFC8555#7.3.4 #558

New Issue

adam · 2025-12-29T01:27:16+01:00

adam commented

2025-12-29 01:27:16 +01:00

Originally created by @CasualRascal on GitHub (Nov 23, 2021).

I ran into a problem with SSL.com

The CA also allows issuing free SSL certificates, but it requires users to sign up for an account on their website and providing an account key and hmac key when creating an ACME account via the ACME client.

This behavior is described on this page of their website and is also described in RFC8555#7.3.4

Please add this capability to dehydrated.

P.S. this is a beautiful script, I love it. Please keep up the great work.

Originally created by @CasualRascal on GitHub (Nov 23, 2021). I ran into a problem with SSL.com The CA also allows issuing free SSL certificates, but it requires users to sign up for an account on their website and providing an account key and hmac key when creating an ACME account via the ACME client. This behavior is described [on this page of their website](https://www.ssl.com/guide/ssl-tls-certificate-issuance-and-revocation-with-acme/) and is also described in RFC8555#7.3.4 Please add this capability to dehydrated. P.S. this is a beautiful script, I love it. Please keep up the great work.

adam closed this issue

2025-12-29 01:27:16 +01:00

adam commented

2025-12-29 01:27:16 +01:00

@lukas2511 commented on GitHub (Nov 23, 2021):

Dehydrated fully supports EAB, just set EAB_KID and EAB_HMAC_KEY in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway.

@lukas2511 commented on GitHub (Nov 23, 2021): Dehydrated fully supports EAB, just set `EAB_KID` and `EAB_HMAC_KEY` in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway.

adam commented

2025-12-29 01:27:17 +01:00

@CasualRascal commented on GitHub (Jan 13, 2022):

You are right it works* both with the parameter --ca https://acme.ssl.com/sslcom-dv-ecc and --ca https://acme.ssl.com/sslcom-dv-rsa

I tried adding a preset for it but the preset would not work at all.

--- dehydrated  2022-01-13 19:08:55.674048326 +0100
+++ dehydrated-sslcom   2022-01-13 19:11:09.250614925 +0100
@@ -344,9 +344,11 @@
   CA_LETSENCRYPT_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
   CA_BUYPASS="https://api.buypass.com/acme/directory"
   CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
+  CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
+  CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
 
   # Default values
-  CA="letsencrypt"
+  CA="sslcom-rsa"
   OLDCA=
   CERTDIR=
   ALPNCERTDIR=
@@ -470,6 +472,10 @@
     CA="${CA_BUYPASS}"
   elif [ "${CA}" = "buypass-test" ]; then
     CA="${CA_BUYPASS_TEST}"
+  elif [ "${CA}" = "sslcom-rsa" ]; then
+    CA="${CA_SSLCOM_RSA}"
+  elif [ "${CA}" = "sslcom-ecc" ]; then
+    CA="${CA_SSLCOM_ECC}"
   fi
 
   if [[ -z "${OLDCA}" ]] && [[ "${CA}" = "https://acme-v02.api.letsencrypt.org/directory" ]]; then

Could you add the presets? I am definitely missing something.

*I have been able to create an account and request valid certificates, however there is no API support. Something like the Zero SSL special sauce, but SSL.com flavored. For my purposes, this does not concern me.

@CasualRascal commented on GitHub (Jan 13, 2022): You are right it works* both with the parameter `--ca https://acme.ssl.com/sslcom-dv-ecc` and `--ca https://acme.ssl.com/sslcom-dv-rsa` I tried adding a preset for it but the preset would not work at all. ```diff --- dehydrated 2022-01-13 19:08:55.674048326 +0100 +++ dehydrated-sslcom 2022-01-13 19:11:09.250614925 +0100 @@ -344,9 +344,11 @@ CA_LETSENCRYPT_TEST="https://acme-staging-v02.api.letsencrypt.org/directory" CA_BUYPASS="https://api.buypass.com/acme/directory" CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory" + CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa" + CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc" # Default values - CA="letsencrypt" + CA="sslcom-rsa" OLDCA= CERTDIR= ALPNCERTDIR= @@ -470,6 +472,10 @@ CA="${CA_BUYPASS}" elif [ "${CA}" = "buypass-test" ]; then CA="${CA_BUYPASS_TEST}" + elif [ "${CA}" = "sslcom-rsa" ]; then + CA="${CA_SSLCOM_RSA}" + elif [ "${CA}" = "sslcom-ecc" ]; then + CA="${CA_SSLCOM_ECC}" fi if [[ -z "${OLDCA}" ]] && [[ "${CA}" = "https://acme-v02.api.letsencrypt.org/directory" ]]; then ``` Could you add the presets? I am definitely missing something. *I have been able to create an account and request valid certificates, however there is no API support. Something like the Zero SSL special sauce, but SSL.com flavored. For my purposes, this does not concern me.

adam commented

2025-12-29 01:27:17 +01:00

@adrian5 commented on GitHub (Nov 7, 2023):

Dehydrated fully supports EAB, just set EAB_KID and EAB_HMAC_KEY in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway.

I think adding this to examples/config would be helpful. That's where I looked for it before landing here.

@adrian5 commented on GitHub (Nov 7, 2023): > Dehydrated fully supports EAB, just set `EAB_KID` and `EAB_HMAC_KEY` in your config file. Guess this should be a bit better documented, but that's something I've been working on anyway. I think adding this to [examples/config](https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config) would be helpful. That's where I looked for it before landing here.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#558