[Pki-devel] ACME Support: Error issuing certificate
Endi Sukma Dewata
edewata at redhat.com
Tue May 5 23:49:09 UTC 2020
----- Original Message -----
> Hi -
>
> My team is adding ACME 2.0 client support to the Open Liberty application
> server and wanted to test against Dogtag PKI's ACME server. My intention is
> to containerize the ACME server and drive it through the same functional
> tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
> instance) to verify compatibility.
>
> The first error I hit was an issue with using JSS 4.7 and I understand that
> will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .
>
> [snip]
>
> To move past this error, I was advised to move down to JSS 4.6.2. Upon doing
> so, I made it past the initial error but now hit the following error:
>
> [snip]
>
> I can see in the ACME server's trace that it does indeed authorize my
> ownership of the domain and then try to issue the certificate. Examining the
> AcmeIssuer class shows that this class has several methods that are not
> implemented.
>
> https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61
> Is this expected or is it possible I have a misconfiguration? I assume I am
> testing too early and need to wait until the implementation is further
> along, but I wanted to test early enough that if there were issues I could
> detect them earlier rather than later.
>
> If it matters, I am testing the with the image from @pki/master on a Fedora
> 30 docker container.
Hi Jesse,
Thanks for your interest on Dogtag PKI and particularly the ACME responder.
Please note that the ACME responder itself is not a CA; it requires another
CA to issue the certificates. Currently the only supported CA is Dogtag PKI
CA which is connected through PKIIssuer:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
The ACMEIssuer is just a base class. It's possible to support other CAs
by extending ACMEIssuer. If you would like to add support for another issuer
upstream feel free to submit a pull request. We have a prototype for OpenSSL
that we might add later.
The issue with JSS is correct, and we're still working to fix it.
The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please
follow these docs to install 389 DS, then install Dogtag PKI CA:
https://www.dogtagpki.org/wiki/Installing_DS
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA.md
Then follow these docs to install and verify ACME:
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_ACME_Responder.md
https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Responder.md
Officially we do not support containerization yet, but it's possible to run
ACME, CA, and DS in containers under some scenarios.
If you run Fedora 30 as a local Docker container, you can execute commands in
the container to install ACME, CA, and DS like regular Fedora applications.
However, if you want to run each of them as a single process in separate
Docker containers, it is possible with some code changes and tricks:
https://www.dogtagpki.org/wiki/PKI_ACME_Container
https://www.dogtagpki.org/wiki/PKI_CA_Container
https://www.dogtagpki.org/wiki/DS_Container
Similarly, here are the docs for OpenShift deployment:
https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift
https://www.dogtagpki.org/wiki/PKI_CA_OpenShift
https://www.dogtagpki.org/wiki/DS_OpenShift
Please note that the wiki is used for development, so the content might be
outdated. The official docs are on GitHub.
The ACME responder is easier to containerize. We might be able to officially
support its containerization soon. However, the CA might be more difficult
due to its dependency on systemd and other issues. The DS seems to require at
least some code changes.
If you want to test ACME containerization, you probably can install ACME
in container with CA and DS running on the host machine. If you just want
to test ACME compatibility without containerization, it might be best to
install ACME, CA, and DS on regular machine for now.
Hope this helps. Let me know if you have any question.
--
Endi S. Dewata
More information about the Pki-devel
mailing list