On Tue, May 05, 2026 at 08:21:19PM +0300, Mia Kanashi wrote: > Subject: Re: [PATCH 3/4] MINOR: acme: implement EAB - external account binding > > On 05/05/2026 19:31, William Lallemand wrote: > > On Fri, May 01, 2026 at 09:06:19PM +0300, Mia Kanashi wrote: > >> A thing about EAB is that it is /required only during account creation/ > >> so it is unexpectedly complex to think about. > >> Also some CAs provide EAB credential pair that is reused between > >> multiple account order requests, for example ZeroSSL, but others like > >> Google Trusted Services require an unique EAB credential for each new > >> account creation request. > >> > > > > Do you have a exemple on how to use that with ZeroSSL? I'll try to test > that > > but that's a bit confusing for now. > > So the setup for zerossl is something like the following in the config: > > acme zerossl > directory https://acme.zerossl.com/v2/DV90 > account-key /tmp/zerossl.account.key # optional > eab-key-id /tmp/zerossl.eab.id # optional > eab-mac-key /tmp/zerossl.eab.key # optional > challenge http-01 > map virt@acme > > First you need to have zerossl account, they require you to register, > on their website they have a button to generate EAB credentials, > which you then write to the filesystem as two separate files. > They also have an API endpoint for that to automate it: > https://zerossl.com/documentation/acme/generate-eab-credentials/ > > And reuse means that if you don't persist or remove ./zerossl.account.key > you recreate the account with same credentials and it won't error, > although keep in mind that they have same rate limits like LE. > But after you persisted the account key you can remove the EAB files. > > ZeroSSL is probably the easiest to get started with if you want to test > it against the "production" version, but.... > > If you just want test EAB and not mess with that, I recommend just doing > it through Pebble, they have EAB support, if you didn't know. > I know it wasn't obvious to me that Pebble supports that too :') > > Here is an example config fields for Pebble: > https://github.com/letsencrypt/pebble/blob/b1e1ca4f3c30abb64111adaca4544bc5374cc306/test/config/pebble-config-external-account-bindings.json#L14-L19 > > And creating creds like this for example: > echo kid-1 > /tmp/zerossl.eab.id > echo zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W > > /tmp/zerossl.eab.key > > Pebble persists credentials like ZeroSSL as they are in the config :) >
Thank you, I'll test this tomorrow. -- William Lallemand
