No challenge for pre-authorized ACME provider

[EricHorst]

My ACME provider credentials (sectigo) are pre-authorized, so that no challenge is required when requesting a cert in my pre-authorized domains. However, the lego cli requires at least one challenge be specified. Am I missing a "no challenge" cli option?

I've worked around it by turning dns into a dummy challenge. This works fine but is a little crude.
EXEC_PATH=/bin/true
lego ... --dns exec run

-Eric

[ldez]

Hello,

The notion of "pre-authorized" is vague, I don't know if you speak about "authorization" from the RFC notion or about something related to authentication like the External Account Binding.

lego, as a binary, handle challenges, it's not a tool to just grab certificates.

The "no challenge" option is not something available because the ACME RFC is about challenges.

Your workaround based on the exec provider seems the best approach for your use case.

I need to learn more about those "pre-authorized" Sectigo approaches, so if you have documentation I'm interested.

[EricHorst]

The notion of "pre-authorized" is vague, I don't know if you speak about "authorization" from the RFC notion or about something related to authentication like the External Account Binding.

This page has a PDF link to the Incommon Sectigo Certificate Manger Guide. See page 407, Section 12.3 for certbot information that I am using for lego. See page 399, Section 12 for overview of the Sectigo ACME service. (I do not have access to the Sectigo SCM. My organization adminstrator uses SCM and configured the ACME credentials I use.)

https://sectigo.com/knowledge-base/detail/InCommon-Sectigo-Certificate-Manager-SCM-Administrator-s-Guide/kA03l000000vFpP

This is what the exchange looks like:

$ EXEC_PATH=/bin/true bin/lego --email [email protected] --server https://acme.sectigo.com/v2/InCommonRSAOV --eab --kid 'MYKID' --hmac 'MYHMAC' --dns exec --domains="myhost.uw.edu" run
2022/03/04 17:33:30 Please review the TOS at https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf
Do you accept the TOS? Y/n
y
2022/03/04 17:33:35 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/03/04 17:33:38 [INFO] [myhost.uw.edu] acme: Obtaining bundled SAN certificate
2022/03/04 17:33:41 [INFO] [myhost.uw.edu] AuthURL: https://acme.sectigo.com/v2/InCommonRSAOV/authz/tokenredacted
2022/03/04 17:33:41 [INFO] [myhost.uw.edu] acme: authorization already valid; skipping challenge
2022/03/04 17:33:41 [INFO] [myhost.uw.edu] acme: Validations succeeded; requesting certificates
2022/03/04 17:33:44 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2022/03/04 17:33:52 [INFO] [myhost.uw.edu] Server responded with a certificate.

The pre-authorized account means the server side does not issue a challenge. (One other thing in the output above lego assumes using Let's Encrypt. Those messages could be generic in case somebody is using a different ACME provider.)

I like lego for simplicity and being a single go binary compared with python certbot. I thank you for lego and your quick reply to my question.