On 05/05/2026 19:31, William Lallemand wrote:
> On Fri, May 01, 2026 at 09:06:19PM +0300, Mia Kanashi wrote:
>> A thing about EAB is that it is /required only during account creation/
>> so it is unexpectedly complex to think about.
>> Also some CAs provide EAB credential pair that is reused between
>> multiple account order requests, for example ZeroSSL, but others like
>> Google Trusted Services require an unique EAB credential for each new
>> account creation request.
>>
>
> Do you have a exemple on how to use that with ZeroSSL? I'll try to
test that
> but that's a bit confusing for now.
So the setup for zerossl is something like the following in the config:
acme zerossl
directory https://acme.zerossl.com/v2/DV90
account-key /tmp/zerossl.account.key # optional
eab-key-id /tmp/zerossl.eab.id # optional
eab-mac-key /tmp/zerossl.eab.key # optional
challenge http-01
map virt@acme
First you need to have zerossl account, they require you to register,
on their website they have a button to generate EAB credentials,
which you then write to the filesystem as two separate files.
They also have an API endpoint for that to automate it:
https://zerossl.com/documentation/acme/generate-eab-credentials/
And reuse means that if you don't persist or remove ./zerossl.account.key
you recreate the account with same credentials and it won't error,
although keep in mind that they have same rate limits like LE.
But after you persisted the account key you can remove the EAB files.
ZeroSSL is probably the easiest to get started with if you want to test
it against the "production" version, but....
If you just want test EAB and not mess with that, I recommend just doing
it through Pebble, they have EAB support, if you didn't know.
I know it wasn't obvious to me that Pebble supports that too :')
Here is an example config fields for Pebble:
https://github.com/letsencrypt/pebble/blob/b1e1ca4f3c30abb64111adaca4544bc5374cc306/test/config/pebble-config-external-account-bindings.json#L14-L19
And creating creds like this for example:
echo kid-1 > /tmp/zerossl.eab.id
echo zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W >
/tmp/zerossl.eab.key
Pebble persists credentials like ZeroSSL as they are in the config :)
