Trying to use ZeroSSL about posh-acme HOT 4 CLOSED

Hi @marcovanbeek, thanks for reaching out. This guide on external account binding will probably help. But I'll try to explain here as well.
https://poshac.me/docs/v4/Guides/External-Account-Binding/

Essentially, ACME orders are tied to a specific ACME account and the account is tied to a specific ACME server. So when you're switching providers from Let's Encrypt to ZeroSSL, you first have to create a new account which is where you specify the EAB credentials. Once you have that account setup, you create a new certificate/order with that account active. So effectively, the order of operations is:

Set-PAServer ZEROSSL_PROD
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact '[email protected]' -AcceptTOS
New-PACertificate example.com <etc>

as they need to be root certificates, I have to use DNS validation

Certificates on a domain/zone apex shouldn't require DNS validation unless you're trying to also get a wildcard cert for that apex. For non-wildcards, the HTTP challenge will work as long as the webserver(s) the apex points to can host the HTTP validation file.

from posh-acme.

Hi,

Yes, I tried all that, and I still get the error. I am going to wipe the existing data and try again, but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument?

I'll let you know / post errors after I restart the process from scratch.

BTW for 365 Hybrid connector you need a domain root certificate and you are never doing this from a server that maps back to the apex of the domain, as the Windows server is on-premises. You are basically linking an Active Directory system and Exchange server(s) with the AD in Azure and Exchange On-Line. Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS.

from posh-acme.

Okay. so I deleted all my existing config and just did those three steps, and that worked. I compared the old and new config and the only major difference was the LE_PROD directory from my earlier tests, so I will have a play around to see if I can break it and let you know.

from posh-acme.

but from what you are saying, the New-PACertificate script will always use the active PAAccount, so I'm not missing a step or an argument?

It will use the active account on the active server unless either of the following are true.

• The -DirectoryUrl param is specified and doesn't match the active server
• The -AccountKeyLength or -Contact params are specified and don't match the current account
  • In this case, it will try to find an account that matches and use that. But if none match, it will attempt to create a new one (which in retrospect won't work for providers that require EAB and end up throwing an error).

So basically, it will always use the active account if none of those 3 parameters are specified.

Yes, we could upload the HTTP validation file to the web server, but that is usually controlled by a third party who use WordPress and redirect all URLs back to the CMS.

Gotcha. Just wanted to make sure you weren't operating under false assumptions. DNS validation definitely sounds like the easier path forward. I actually prefer it, personally.

from posh-acme.