Support providing existing certificate with HTTP01 challenge

[ne20002]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I have a set of servers only used in my internal network. Currently neither using LetsEncrypt nor SmallStep offer a sitisfying solution.

• To use a LetsEncrypt certificate I would need to use DNS challenge which would require to use the challenge token on all servers where I would need such a certificate.
• Using Smallstep works for creating the certificate but many Apps on Android are unable to accept such a certificate even when the root certificate of my internal CA is added as trusted private CA certificate (e.g. Firefox has an extra setting that needs to be enabled to support private CA certificates but many other Apps don't have that).

Why is this needed?

To easy the handling for these circumstances I would like to do the following:

1.) request a wildcard certificate from LetsEncrypt for my domain. This should be done only on the server that is also running smallstep CA. This can be accomplished by e.g. the certbot client.
2.) make this wildcard from LetsEncrypt available to SmallStep Acme server
3.) when requesting a certificate from SmallStep acme server by an internal server, deliver the LetsEnrypt wildcard certificate

With a setup like this, I can use StepCA internaly and only need one system to request a LetsEncrypt wildcard certificate with DNS01 challenge. The Android apps would work without complaining.

As an extension, I would also like to be able to cross sign the wildcard certificate from LetsEncrypt with my own CA's certificate before delivering it to the internal servers.

[hslatman]

Hey @ne20002,

Thank you for opening the issue. We've discussed it during triage, and our verdict is that it sounds like this needs to be solved closer on the client side, as the suggestion doesn't seem to be the responsibility of our CA. We do have some suggestions/remarks, though:

• Firstly, do you have more information on which Android apps you're trying to use? It sounds like those apps should be using the system certificate store, or should at least offer an option to trust other root certificates.
• Secondly, assuming you get the wildcard certificate once, there's the issue of distributing the private key: you'll have to manage that part too. And the ACME clients on your servers will need to have the option to use an existing private key.

We think you're better served by a different solution, especially if your apps can't be made to trust your internal root CA (but really, they better should). You mentioned you didn't want all your ACME clients to have the power to update DNS records. You could look into using https://github.com/joohoi/acme-dns, which is a DNS server limited to serving the ACME DNS challenge responses. Using that you can limit access to your DNS records. An alternative, but similar approach is by using https://github.com/mdbraber/acmeproxy. And yet another option that would centralize managing the certificate obtained through Let's Encrypt is CertWarden: https://www.certwarden.com/.

[ne20002]

Thank you very much. These are valid points indeed. I will have a look on the mentioned projects.