Can ZeroSSL support be added?

[PathfinderNetworks]

I'm not a developer so not sure what would be needed for this.
I'm currently using LetsEncrypt for my HTTPS cert on my MeshCentral server. It had been working fine since about 2018 or so when the support was first added. But, as of April, I can no longer get LetsEncrypt to complete renewals due to changes they've recently made with using more verification servers in 'less secure' parts of the word. I used geolocation blocking on my firewall so these new countries are being blocked- which is causing the renewals to also fail.
At any rate, instead of loosening up my network security I decided to move to ZeroSSL. ZeroSSL uses the same ACME client as LetsEncrypt but uses a different verification method. You have to set up an account with ZeroSSL (which is free) and then generate what they call EAB credentials (like an API key) that is used to authenticate the ACME client.
I was able to configure/use WinACME for my IIS websites to pull certs from ZeroSSL without much issue (just required making a change to the config.json to point the DefaultBaseUri to the ZeroSSL server). WinACME then asked for the EAB credentials on the first run.

At any rate, if this support could be added to MeshCentral that would be extremely helpful.
Here is a link to their ACME documentation. Admittedly their documentation is rather limited. But it was enough for me to figure out how to get WinACME to work. https://zerossl.com/documentation/acme/

[si458]

just an update on this, i have been working on this and hit an issue.
ZeroSSL implement a 429 rate limit, which means you cant order more then like 2-3 domains per certificate at a time per minute !?
cert-manager/cert-manager#5867
would this be ok to limt the domains to say 2 if you use zerossl ?
if i use the acme-clientauto method, i can only get 2 (maybe 3) domains renewed on the same SSL
(i had 5 for my testing but kept failing).

if not im gunna have to write an implemtation of getting authz etc manually and do 1 second waits between each one the domains to try and avoid the rate limiting

[PathfinderNetworks]

ZeroSSL, for the free accounts at least, does limit you to 3 domains. So that's probably the limitation you are running in to? In my use case, I only have one MeshCentral domain so the limit doesn't impact me (I do have two other domains under my ZeroSSL account currently so mesh would be my third).

[si458]

From what I've read it's only 3 limit if you use the rest api, but if you use the acme then it's unlimited!? And the ace was simply enough to change just doesn't work with more than 3 domains groan

[si458]

@PathfinderNetworks ive done a PR which adds the zerossl to the letsencrypt section #6084

  "letsEncrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "[email protected]",
    "names": "mc.mydomain.com,test1.mc.mydomain.com,test2.mc.mydomain.com",
    "skipChallengeVerification": true,
    "production": true,
    "zerossl": {
      "kid": "a1b2c3d4e5",
      "hmacKey": "a1b2c3d4e5"
    }
  },

please note: im hitting the stupid 429 too many requests limit, so its a 50/50 it works for yourself
it requires either a rebuild of acme-client to basically wait like 500miliseconds between each HTTP call
OR
we build our own acme-client into meshcentral and remove the dependency

[PathfinderNetworks]

My apologies, just getting back to this. If I wanted to implement this on my end to test how do I go about that? I'm assuming I would need to download the modified letsencrypt.js and meshcentral-config-schema.json files and replace my existing files with those and update my config.json file to add the zerossl info?

[si458]

Yes if u want to patch it urself the PR is here - #6084
But download the 3 files from the master branch, replace them, restart meshcentral,
Then edit ur config.json with the zerossl like above, then backup ur letsencrypt-certs folder inside meshcentral-data and then remove it, then restart meshcentral
U need to get the EAB credentials from ur Web panel when u login, it creates them once and u can it over n over again which is nice