ACMEv2 SSL with Google?

uquevedo

Hi Everyone,

I have a domain that is hosted through Google that I would like to setup a wildcard certificate, but going through the ACME certificate process gives me the following result result:

[Fri Nov 11 06:48:12 PST 2022] Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.  request-id: PcoI/gxPD2IIqc78EbvgqA==","requestID":"PcoI/gxPD2IIqc78EbvgqA=="}

I went to https://tools.ietf.org/html/rfc8555#section-7.3.4 and determined that I needed to register an account somehow with Google to accomplish this.

I eventually stumbled upon https://cloud.google.com/blog/products/identity-security/automate-public-certificate-lifecycle-management-via--acme-client-api to I thought start some of this process, which then let me to certbot to get things registered.

The certbot wanted specific keys from Google to work though, so I eventually got into Google Cloud and ran the following [some info obscured]:

gcloud projects add-iam-policy-binding project-name --member=user:email-address@gmail.com --role=roles/publicca.externalAccountKeyCreator
gcloud alpha publicca external-account-keys create
Updated property [core/project].
Updated IAM policy for project [project-name].
bindings:
- members:
  - user:email-address@gmail.com
  role: roles/owner
- members:
  - user:email-address@gmail.com
  role: roles/publicca.externalAccountKeyCreator
etag: tag
version: 1
Created an external account key
[b64MacKey: eab-hmac-key
keyId: eab-key]

In then ran the following on an Ubuntu rasberry pi [again, some info obscured]:

uquevedo@raspi:~$ sudo certbot register --email email-address@gmail.com --no-eff-email --server "https://dv.acme-v02.api.pki.goog/directory"  --eab-kid "eab-key" --eab-hmac-key "eab-hmac-key"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at https://pki.goog/GTS-SA.pdf. You must agree
in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes
Account registered.

I thought this was enough to get things registered, but that doesn't seem to be the case? Because when I go to request the key again using the Google ACMEv2, I still get the following:

[Sat Nov 12 07:26:15 PST 2022] Register account Error: {"type":"urn:ietf:params:acme:error:externalAccountRequired","detail":"External Account Binding is required for new accounts. See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more information.  request-id: PcoI/gxPD2IIqc78EbvgqA==","requestID":"PcoI/gxPD2IIqc78EbvgqA=="}

Navigating Google's myriad of services and products is so confusing and I'm not sure I've setup anything properly?

Has anyone gotten this working through Google for the wildcard SSL certificates with the Google ACMEv2 key creation?

uquevedo

Hi Everyone,

I asked the same question over in the Let’s Encrypt forums, and I got some great answered and clarification on what I was trying to do. https://community.letsencrypt.org/t/acmev2-ssl-with-google/187727/18

Hopefully Google will do ACME wildcard verification through Google Domains in the future.