implement ACME external account binding (EAB)

where a new acme account is created with a reference to an existing non-acme account known by the acme provider. some acme providers require this.
2025-07-10 06:34:40 +03:00 · 2023-12-22 10:34:55 +01:00
parent db3fef4981
commit ee1094e1cb
5 changed files with 65 additions and 10 deletions
--- a/config/doc.go
+++ b/config/doc.go
@ -101,6 +101,22 @@ describe-static" and "mox config describe-domains":
 			# Encrypt, this value is set automatically to letsencrypt.org. (optional)
 			IssuerDomainName:

+			# ACME providers can require that a request for a new ACME account reference an
+			# existing non-ACME account known to the provider. External account binding
+			# references that account by a key id, and authorizes new ACME account requests by
+			# signing it with a key known both by the ACME client and ACME provider.
+			# (optional)
+			ExternalAccountBinding:
+
+				# Key identifier, from ACME provider.
+				KeyID:
+
+				# File containing the base64url-encoded key used to sign account requests with
+				# external account binding. The ACME provider will verify the account request is
+				# correctly signed by the key. File is evaluated relative to the directory of
+				# mox.conf.
+				KeyFile:
+
 	# File containing hash of admin password, for authentication in the web admin
 	# pages (if enabled). (optional)
 	AdminPasswordFile: