Buypass Go SSL – Technical information
Obtain a certificate with Certbot
After installing Certbot you can obtain a certificate from Buypass CA. The following examples were generated using EFF’s Certbot from their official website.
Certbot requires root-privileges in order to perform its operations. The Certbot will auto-install dependencies the first time performing an command using the “certbot-auto” binary. After Certbot has finished installing its dependencies you will be prompted for input. Registration is also automatically performed prior obtaining a certificate from the Buypass AS ACME service.
Register to CA
Command: |
|
Parameter | Explanation |
register | Specify task |
-m “email” | Email to be used for nofitication purposes, eg. expiring certificates |
–agree-tos | Automatically agree to the Terms of Service |
–server ‘URL’ | Use the specified ACME server to obtain certificates |
Certbot output: |
|
Obtain certificate
To order a certifcate from Buypass you can perform the following command, replace example.com with your domain name.
Command: |
|
Parameter | Explanation |
certonly | Specify task |
–webroot | Obtains a certificate by writing to the webroot directory of an already running webserver |
-w | Specify the web-root containing the files served by the webserver |
-d ‘FQDN’ | Fully Qualified Domain Name to obtain certificate for, which is accessible on port 80 and 443 |
–server ‘URL’ | Use the specified ACME server to obtain certificates |
Certbot output: |
|
Managing Certificates with Certbot
- Revoke certificate
- Renew certificate
- Delete certificate
1. Revoke certificate
Revoke a previously obtained certificate by performing the following command.
Command: |
|
Parameter | Explanation |
revoke | Start the task of revoking an existing certificate |
–server “URL” | Use the specified ACME server to obtain certificates |
–cert-path “PATH” | Specify the path of the desired certificate to remove |
Certbot output: |
|
2. Renew certificate
Manual renewal of certificates can be achieved through the following command. To automate the renewal process this can be scheduled using cron.
Command: |
|
Parameter | Explanation |
renew | Check and renew expiring certificates |
-n | Run without user interaction |
-q | Quiet output, reduced logging to screen |
Certbot output: |
|
Automated renewal is scheduled in cron by invoking the following command to edit the cron tasks for the root user
Command: |
|
Then add the following lines to the file.
Command: |
|
3. Delete certificate
Invoke the following command to delete a certificate. THis will give you a list of available certificates which you can choose a certificate from to completely delete.
Command: |
|
Parameter | Explanation |
delete | Start the task of delting previously obtained certificates |
Certbot output: |
|
Buypass ACME Implementation details
Rate limits
The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.
We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalisation and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.
There is a Failed Validation limit of 5 failures per account, per hostname, per hour.
You can have a maximum of 300 Pending Authorisations on your account.
The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Requests limit of 20 per second.
The “/directory” endpoint has limit of 40 requests per second.
Security fixes
If there appears to be a security issue in the protocol, we may introduce compatibility-breaking changes to the endpoints. Client suppliers should update their clients to address such vulnerabilities.
Errors and issues
While working with Buypass ACME service the following standard errors may appear. If you can not fix them by yourself - contact our Community or our Customer Support.
Type | Description |
badCSR | The CSR is unacceptable (e.g., due to a short key) |
badNonce | The client sent an unacceptable anti-replay nonce |
badSignatureAlgorithm | The JWS was signed with an algorithm the server does not support |
invalidContact | A contact URL for an account was invalid |
unsupportedContact | A contact URL for an account used an unsupported protocol scheme |
malformed | The request message was malformed |
rateLimited | The request exceeds a rate limit |
rejectedIdentifier | The server will not issue for the identifier |
serverInternal | The server experienced an internal error |
unauthorised | The client lacks sufficient authorisation |
unsupportedIdentifier | Identifier is not supported, but may be in future |
userActionRequired | Visit the “instance” URL and take actions specified there |
badRevocationReason | The revocation reason provided is not allowed by the server |
caa | Certification Authority Authorisation (CAA) records forbid the CA from issuing |
dns | There was a problem with a DNS query |
connection | The server could not connect to validation target |
tls | The server received a TLS error during validation |
incorrectResponse | Response received didn’t match the challenge’s requirements |
This list is not exhaustive. The server MAY return errors whose “type” field is set to a URI other than those defined above.
ACME Issue Reporting
If you have issues using Buypass SSL Go solution please report this using the Issue Report form below. It may be useful for us to get your ACME Account ID to do a proper investigation. The process of creating an ACME Account is handled automatically by the ACME client software you use.
If you’re using Certbot, you can find your account ID by looking at the “uri” field in /etc/letsencrypt/accounts/api.buypass.com/acme/directory*/regr.json.
If you’re using another ACME client, the instructions will be client-dependent. Check your logs for URLs of the form described above. If your ACME client does not record the account ID, you can retrieve it by submitting a new registration request with the same key. See the ACME spec for more details. You can also find the numeric form of your ID in the Boulder-ID header in the response to each POST your ACME client makes.