Implement ZeroSSL API #6064
Comments
mholt
added
help wanted 🆘
|
I am currently working on this and have a question. Are we looking to implement all the api endpoints provided by zerossl or just the equivalent ones to what we currently have with ACME? |
|
Awesome! Just the ones necessary to fulfill the Issue method. |
|
Hi, thanks @armadi1809 for working on this. I think this just became more urgent, as ZeroSSL deployed a update to their ACME endpoints with way stricter rate limits last week:
Also, regarding lifting the levels for paying customers, they said:
@mholt I'm using certmagic, without caddy. Do you think the ZeroSSL API could also be implemented in certmagic / does it make sense? Or would the solution be me copying the ZeroSSL Issuer to my codebase? |
|
I'll circle back to this this week if not today; and I'll see if this can go in certmagic. |
|
Ok, I'm working on this today, building on @armadi1809's work. |
|
@mholt thanks! Would sth like this work out for certmagic? This is the zerosslissuer from the linked PR, with the caddy-stuff removed: https://gist.github.com/aplr/1e251650f1c452f12ab98460e5ccadc1 |
|
@aplr Probably; I will try to have it included in CertMagic as well. |
|
Initial implementation here: https://github.com/caddyserver/zerossl Has some bugs, but currently in contact with ZeroSSL to get those worked out. |
mholt
added
upstream ⬆️
|
@mholt thanks! I've also jumped into the rabbit hole today. I've found it's a massive endeavour to make this work with on-demand issue & renew, and adding DNS & HTTP solvers. It's essentially re-implementing your whole mholt/acmez package, but with the ZeroSSL API, as well as the adapters in certmagic, am I right with that? |
|
@aplr Hmm, that doesn't sound quite right. Any Issuer can be used for On-Demand TLS; but the DNS & HTTP "solvers" are concepts related to ACME, which the ZeroSSL API is an alternative to. I imagine the integration into CertMagic will be fairly straightforward, maybe could benefit from some refactoring; but then the integration into Caddy should be even easier. |
|
Ok, I see. I guess it blew up as I wrote it outside of certmagic, and I had to copy lots of private structs & functions, which is of course not the case when integrating it into certmagic. But yes, I agree, with the right abstraction lots of code might be reusable, as it's the same concepts. |
|
I'll be working on the CertMagic/Caddy integration soon-ish :) |
|
Is there any update or timeline for integrating the zerossl REST Api to Caddy? |
|
I have it working but both myself and my contact at ZeroSSL have been traveling so I'm hoping to finish it up soon. There's one remaining question I am working through. |
|
Could you bring up IPv6 subject names with your contact at zerossl? I've not been able to get past their frontline support agents. |
|
Yeah I will. Anyway this is done in #6229. |
Right now, the ZeroSSL issuer only uses the ZeroSSL API to generate EAB for a user's email address. Then it proceeds to use ACME.
This is useful for most people with free accounts, but those with paid accounts won't be able to reap the benefits of their higher limits, etc (because ZeroSSL's software stack is more flexible when using the API). Paid users need to use the API to be able to access all the features they're paying for.
Should be pretty simple to implement: https://zerossl.com/documentation/api/
It will need to be opt-in, as simply providing an API key can be done by free account users as well, and if we use the API for them we'd quickly break their deployments if they're not prepared to pay for the API. So maybe a bool option to toggle on the use of the API.
Anyone can take this up, or I will get around to it soon (working through a backlog to start the year!)
The text was updated successfully, but these errors were encountered: