Replies: 1 comment
-
|
Okay, so I now better understand the use ACME and yes, the client should be operated on the server machine the certificate is to be installed and run on. I think I was thinking the ACME client operated as a Central sort of certificate management platform, requesting, renewing, and distributing certificates and keys. However, I see now (after reading through several pages of various ACME client's source code) this is not the case, and my entire understanding was off track. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Okay, so I am finally breaking down and asking for help...
TL;DR: How does the Verification Token get placed onto the web server if it's not done manually??
I have a very simple environment that I've set up so I can learn and hopefully implement a more robust certificate management system for my home / home lab. Right now, I have step-ca installed on a RaspPi 5 using a Yubi Key to store my root certificate and key. I can issue certificates with no problem using the following:
However, I would like to better understand the use of ACME. I've added an ACME provisioner, and I can confirm that this works as I was able to use pfSense's ACME package to issue a certificate. Okay, so everything is working… what's my problem??
So my issue is I don't fully understand how ACME can be used to request a certificate from the CA unless I am physically logged in to the machine that has the FQDN I am trying to issue the certificate for. I was under the impression the ACME client (take your pick) would issue a "POST" placing the challenge token into the web server's root at ".well-known/acme-challenge/". However, when I have tried this, the challenge verification fails.
To test this, I spun up Debian, installed Nginx, and used pfSense's ACME package to request a certificate for the FQDN test.wakefield.lan (wakefield.lan being my internal network domain). I configured pfSense's ACME client to use standalone HTTP (HTTP-01) for verification. DNS is working fine, and from my CA, I can use curl to access the website at test.wakefield.lan. However, what I don't see is any kind of POST happening from the ACME client (just acme.sh under the hood) to the web server at test.wakefield.lan. So how is the token supposed to be validated if it's never pushed to the web server?
Isn't one of the functions of an ACME client (all ACME clients that support HTTP-01 validation) supposed to be delivering the token to the web server so it can be validated? Or, am I completely missing the design of this solution? I know there are all kinds of wonderful DNS APIs that can be used or even manual DNS verification, but this HTTP-01 validation has me stumped from a workflow perspective and I really want to understand why my logic and understanding of this method is not correct.
Any explanations to get me out of this rut would be greatly appreciated...
Beta Was this translation helpful? Give feedback.
All reactions