Move ACME setup to pure PK config, no EAB, since Google requires it

Author: pimterry

fly.toml

@@ -15,7 +15,7 @@ primary_region = 'cdg'
   PROACTIVE_CERT_DOMAINS = 'testserver.host,example.testserver.host,http1.testserver.host,http2.testserver.host'
 
   ACME_PROVIDER = 'google' # or 'letsencrypt', 'zerossl'
-  # For google/zerossl you'll need to set ACME_EAB_HMAC and ACME_EAB_KID secrets for auth
+  # Set ACME_ACCOUNT_KEY secret (PEM format) - see src/tls-certificates/acme.ts for details
 
 [[services]]
   protocol = "tcp"

src/server.ts

@@ -11,7 +11,7 @@ import { createHttp1Handler, createHttp2Handler } from './http-handler.js';
 import { createTlsHandler, CertMode } from './tls-handler.js';
 import { ConnectionProcessor } from './process-connection.js';
 
-import { AcmeCA, AcmeProvider, ExternalAccessBindingConfig } from './tls-certificates/acme.js';
+import { AcmeCA, AcmeProvider } from './tls-certificates/acme.js';
 import { LocalCA, generateCACertificate } from './tls-certificates/local-ca.js';
 import { PersistentCertCache } from './tls-certificates/cert-cache.js';
 
@@ -32,9 +32,9 @@ declare module 'stream' {
 interface ServerOptions {
     domain?: string;
     acmeProvider?: AcmeProvider;
+    acmeAccountKey?: string;
     proactiveCertDomains?: string[];
     certCacheDir?: string;
-    eabConfig?: ExternalAccessBindingConfig;
 }
 
 async function generateTlsConfig(options: ServerOptions) {
@@ -79,8 +79,11 @@ async function generateTlsConfig(options: ServerOptions) {
     if (!options.certCacheDir || !AcmeCA) {
         throw new Error(`Can't enable ACME without configuring a cert cache directory (via $CERT_CACHE_DIR)`);
     }
+    if (!options.acmeAccountKey) {
+        throw new Error(`Can't enable ACME without configuring an account key (via $ACME_ACCOUNT_KEY)`);
+    }
 
-    const acmeCA = new AcmeCA(certCache!, options.acmeProvider, options.eabConfig);
+    const acmeCA = new AcmeCA(certCache!, options.acmeProvider, options.acmeAccountKey);
     acmeCA.tryGetCertificateSync(rootDomain); // Preload the root domain every time
 
     return {
@@ -182,9 +185,7 @@ if (wasRunDirectly) {
         domain: process.env.ROOT_DOMAIN,
         proactiveCertDomains: process.env.PROACTIVE_CERT_DOMAINS?.split(','),
         acmeProvider: process.env.ACME_PROVIDER as AcmeProvider | undefined,
-        eabConfig: process.env.ACME_EAB_KID && process.env.ACME_EAB_HMAC
-            ? { kid: process.env.ACME_EAB_KID, hmacKey: process.env.ACME_EAB_HMAC }
-            : undefined,
+        acmeAccountKey: process.env.ACME_ACCOUNT_KEY,
         certCacheDir: process.env.CERT_CACHE_DIR
     }).then((tcpHandler) => {
         ports.forEach((port) => {

src/tls-certificates/acme.ts

@@ -22,36 +22,30 @@ const SUPPORTED_ACME_PROVIDERS = [
 
 export type AcmeProvider = typeof SUPPORTED_ACME_PROVIDERS[number];
 
-export interface ExternalAccessBindingConfig {
-    kid: string;
-    hmacKey: string;
-}
-
 export class AcmeCA {
 
+    private readonly acmeClient: ACME.Client;
+
     constructor(
         private certCache: PersistentCertCache,
         private acmeProvider: AcmeProvider,
-        private eabConfig: ExternalAccessBindingConfig | undefined
+        accountKey: string
     ) {
         if (!SUPPORTED_ACME_PROVIDERS.includes(acmeProvider)) {
             throw new Error(`Unsupported ACME provider: ${acmeProvider}`);
         }
+
+        this.acmeClient = new ACME.Client({
+            directoryUrl: ACME.directory[this.acmeProvider].production,
+            accountKey
+        });
     }
 
     private pendingAcmeChallenges: { [token: string]: string | undefined } = {}
     private pendingCertRenewals: { [domain: string]: (Promise<AcmeGeneratedCertificate> & { id: string }) | undefined } = {};
 
-    private readonly acmeClient = ACME.crypto.createPrivateKey().then(
-        (accountKey) => new ACME.Client({
-            directoryUrl: ACME.directory[this.acmeProvider].production,
-            accountKey,
-            externalAccountBinding: this.eabConfig
-        })
-    );
-
-    async getChallengeResponse(token: string) {
-        const challengeResponse = (await this.acmeClient).getChallengeKeyAuthorization({
+    getChallengeResponse(token: string) {
+        const challengeResponse = this.acmeClient.getChallengeKeyAuthorization({
             token,
             type: 'http-01',
             url: '',
@@ -127,7 +121,7 @@ export class AcmeCA {
         const certData = await this.requestNewCertificate(domain, options);
 
         console.log(`Revoking certificate for ${domain} (${options.attemptId})`);
-        await (await this.acmeClient).revokeCertificate(certData.cert);
+        await this.acmeClient.revokeCertificate(certData.cert);
         console.log(`Certificate revoked for ${domain} (${options.attemptId})`);
 
         return certData;
@@ -270,7 +264,7 @@ export class AcmeCA {
             commonName: domain
         });
 
-        const cert = await (await this.acmeClient).auto({
+        const cert = await this.acmeClient.auto({
             csr,
             challengePriority: ['http-01'],
             termsOfServiceAgreed: true,