"Missing Authentication Token" errors when using SSL.com's ACME server

[rmbolger]

The ACME server implementation that SSL.com is currently using appears to have some bugs that are preventing Posh-ACME from doing standard tasks like checking account status or updating account contact details.

I started a thread with other client devs on the LE community forums to compare findings. But for now SSL.com is incompatible with Posh-ACME.

[rmbolger]

It looks like they might be working on the problem. Requests against account endpoints are still throwing errors, but some are now ACME formatted errors like:

{"type":"urn:ietf:params:acme:error:serverInternal","detail":"Please try again later or contact support@ssl.com"}

• Get-PAAccount -Refresh = "Please try again later"
• `Set-PAAccount -Contact 'me@example.com' = WORKS
• Set-PAAccount -KeyRollover = "Missing Authentication Token"
• Set-PAAccount -Deactivate = WORKS

The Get-PAAccount -Refresh error is the main blocker to having Posh-ACME generally work against SSL.com.

[8191]

@rmbolger Any update on this issue? Did you contact SSL.com in the end and did you get any feedback?

[rmbolger]

Not yet. I did open a support request, but unfortunately never got a response and kind of let it languish since then. I've got a test branch, sslcom-compat, that works around the issue by removing all account refresh calls that happen as part of the basic cert request workflow. It works in my local testing, but it's not an ideal solution or something I'm ready to incorporate into an official version yet.

Ironically, DigiCert also seems to have a similar issue with their non-free ACME implementation that was reported in issue #394. Make me wonder whether they're both using the same underlying ACME server.

I don't currently have any other issues I'm actively working on. So I will try to reach out to ssl.com support again and see if I can get some traction. Since I'm not a paying customer, they don't have a lot of incentive to listen to me though.

[rmbolger]

I got at least an initial response to my ticket this time saying

Please note that the issue has been forwarded to our ACME devs and technical team. We will keep you posted soon as we get updates from the team.

[rmbolger]

No updates from support since this last message and the account endpoints still appears to be throwing the same error from September.

[8191]

I own a few certificates from them. I can try to raise an issue as well. Will report here if I'll get any feedback.

[rmbolger]

I added a workaround in 4.14.0. If you have already configured a server, you'll need to use Set-PAServer -UseAltAccountRefresh. If you haven't configured a server yet, the switch should be enabled by default when you do.