https://enotty.pipebreaker.pl/enTue, 26 Aug 2025 06:54:04 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://enotty.pipebreaker.pl/posts/2025/08/actalis-eab-acme-works-it-was-base64url-issue/Tomasz Torcz<p>As an addendum to <a class="reference external" href="https://enotty.pipebreaker.pl/posts/2025/08/leaving-buypass-as-acme-provider/">yesterday's note</a>: I've got Actalis issuer to work with <code class="docutils literal"><span class="pre">cert-manager</span></code>.</p> <p><code class="docutils literal"><span class="pre">cert-manager</span></code> expects some credentials to be in so-called <code class="docutils literal">base64url</code> encoding, which is <a class="reference external" href="https://cert-manager.io/docs/configuration/acme/#external-account-bindings">stated in a note</a> in the documentation. Fix was easy, I had to remove <code class="docutils literal">=</code> from provided HMAC Keys. The docs have <code class="docutils literal">sed</code> invocation to use.</p> <p>002/100 of <a class="reference external" href="https://100daystooffload.com/">#100DaysToOffload</a></p>100DaysToOffloadenglishhttps://enotty.pipebreaker.pl/posts/2025/08/actalis-eab-acme-works-it-was-base64url-issue/Wed, 20 Aug 2025 07:55:32 GMThttps://enotty.pipebreaker.pl/posts/2025/08/leaving-buypass-as-acme-provider/Tomasz Torcz<p>For a long time I've been using BuyPass as TLS certificates provider for ACME. Unfortunately they <a class="reference external" href="https://community.buypass.com/t/y4y130p">decided to disengage from this area of services</a>.</p> <p>There are <a class="reference external" href="https://acmeclients.com/certificate-authorities/">quite a few ACME providers</a>. Some even look like they could replace BuyPass, which had two strong traits: it is based in Europe and was providing certificates valid for half a year. It looked like <a class="reference external" href="https://www.actalis.com/subscription">Actalis</a> would be a good replacement. They're from Italy and have 1 year certificates, but available in paid plans only.</p> <p>After some tinkering with <code class="docutils literal"><span class="pre">cert-manager</span></code> I was unable to make it work. Some cryptic, discouraging messages like <code class="docutils literal">"ACME server URL host and ACME private key registration host differ. <span class="pre">Re-checking</span> ACME account registration"</code> and <code class="docutils literal">"failed to verify ACME account" <span class="pre">err="failed</span> to decode external account binding key data: illegal base64 data at input byte 43"</code> made me look further.</p> <p>Next shot, <a class="reference external" href="https://cert-manager.io/docs/tutorials/zerossl/zerossl/">ZeroSSL</a> worked straight away. Worth noting – official <code class="docutils literal"><span class="pre">cert-manager</span></code> documentation has a tutorial on using ZeroSSL. There are some limitation, but it's fine to me. There's nothing more to write, it just works.</p> <p>For private services (meant to be accessed only from my devices), I'm using <a class="reference external" href="https://enotty.pipebreaker.pl/posts/2021/11/acme-freeipa-super-easy/">FreeIPA as an ACME provider</a>, of course.</p> <p>Why not Let's Encrypt? Only because it is not <em>hipster</em> enough.</p> <blockquote> <p>This is post 001/100 of <a class="reference external" href="https://100daystooffload.com/">100DaysToOffload</a> challenge. I intend to write short posts about nothing in particular, just collected thoughts. Language will vary: Polish, English, maybe Arabic if I get back to learning it.</p> </blockquote>100DaysToOffloadenglishhttps://enotty.pipebreaker.pl/posts/2025/08/leaving-buypass-as-acme-provider/Tue, 19 Aug 2025 18:26:33 GMT