ACME Package for ACME v2 coming

  • Rebel Alliance Developer Netgate

    I am working on getting the ACME package ready for the launch of ACME v2 later this month. I have synchronized the code in the devel branch for 2.4.3 snapshots but not for other versions yet. It won't show up until the next snapshot run. Look for ACME package version

    For users of existing certificates, not much will change, but it's good to make sure existing certificates still renew properly, and that new certificates on the v1 servers work as expected.

    You cannot create a trusted wildcard certificate yet because Let's Encrypt does not have production ACME v2 servers online until later this month. The staging server is up, and you can use those to ensure that your validation is working properly for when the production servers go live.

    Updates include

    • updated to support ACME v2
    • Wildcard domain support
        * EXPERIMENTAL!! This requires ACME v2 and ONLY the staging server is online right now. Use for testing only.
    • ACME v2 server URLs added to Account Key options
        * EXPERIMENTAL!! ONLY the staging server is online right now. Use for testing only. Let's Encrypt is launching this service for production use later this month.
    • E-Mail Address support added to Account Key options (Let's Encrypt – NOT this package -- will send you an e-mail if your certificate is expiring and hasn't been renewed)
    • Misc bug fixes

    New Providers:

    • AutoDNS (InternetX)
    • Azure (Microsoft)
    • Namesilo
    • Selectel

    Providers with updates/bug fixes:

    • AWS
    • Cloudflare
    • INWX
    • ISPConfig
    • OVH
    • Yandex

    Creating a Wildcard certificate

    Wildcard certificates require ACME v2 and a DNS-based validation method. They cannot be used with other modes (e.g. standalone, webroot, webroot ftp, haproxy integration, etc).

    To make a wildcard certificate, you must validate for the base domain of the wildcard. For example: To make a wildcard certificate for "*", you must be able to update the TXT record for A common practice is to setup a certificate that contains and * domains and use the same update method for both.

    Special note for nsupdate/RFC2136: Set the Key Name to in this case

Log in to reply