[GH-ISSUE #1255] EAB credentials for acme account creation #7809

New issue

Closed

opened 2026-03-12 22:53:21 +03:00 by kerem · 2 comments

kerem commented

2026-03-12 22:53:21 +03:00

Owner

Originally created by @baltazartroisville on GitHub (Jul 22, 2025).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1255

Is your feature request related to a problem? Please describe.
Some ACME providers require the registration with credentials named EAB, external account binding. Right now Nginx-UI does not allow this so this providers (for example zerossl) cannot be used.

Describe the solution you'd like
Two additional optional text input boxes on the acme provider registration page for key ID (kid) and HMAC key (hmacKey). And the logic working with the input of course. EAB takes place in the acme new account creation phase, not in the certificate request afterwards.

Describe alternatives you've considered
Use LetsEncrypt.

Additional context

EAB is a published standard under RFC8555: https://www.rfc-editor.org/rfc/rfc8555#section-7.3.4
Additional shorter explanation: https://cert-manager.io/docs/configuration/acme/#external-account-bindings
Afaik the GO acme.client does not natively support EAB, but lego and certmanager have implemented it. So the externalAccountBinding object has to be build manually and then included in the account registration request

Steps (if i understood correctly):

get kid and hmacKey from provider
generate RSA or EC keypair
build eab JWS (json web signature) object
- payload is acme account JWK (json web key) - public part from keypair
- algorithm, keyID (kid) and CADir endpoint URL as header
- sign with base64url-encoded HMAC key
POST to endpoint URL with externalAccountBinding field in account registration payload

Thank you to anyone who puts hard work in nginx-ui! ❤️

Originally created by @baltazartroisville on GitHub (Jul 22, 2025). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1255 **Is your feature request related to a problem? Please describe.** Some ACME providers require the registration with credentials named EAB, external account binding. Right now Nginx-UI does not allow this so this providers (for example zerossl) cannot be used. **Describe the solution you'd like** Two additional optional text input boxes on the acme provider registration page for key ID (kid) and HMAC key (hmacKey). And the logic working with the input of course. EAB takes place in the acme new account creation phase, not in the certificate request afterwards. **Describe alternatives you've considered** Use LetsEncrypt. **Additional context** - EAB is a published standard under RFC8555: https://www.rfc-editor.org/rfc/rfc8555#section-7.3.4 - Additional shorter explanation: https://cert-manager.io/docs/configuration/acme/#external-account-bindings - Afaik the GO acme.client does not natively support EAB, but lego and certmanager have implemented it. So the externalAccountBinding object has to be build manually and then included in the account registration request Steps (if i understood correctly): 1. get kid and hmacKey from provider 2. generate RSA or EC keypair 3. build eab JWS (json web signature) object - payload is acme account JWK (json web key) - public part from keypair - algorithm, keyID (kid) and CADir endpoint URL as header - sign with base64url-encoded HMAC key 4. POST to endpoint URL with externalAccountBinding field in account registration payload Thank you to anyone who puts hard work in nginx-ui! ❤️

kerem

2026-03-12 22:53:21 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-03-12 22:53:37 +03:00

Author

Owner

@0xJacky commented on GitHub (Jul 22, 2025):

Sure. If Lego has the capability to achieve this function, I will attempt to implement it.

@0xJacky commented on GitHub (Jul 22, 2025): Sure. If Lego has the capability to achieve this function, I will attempt to implement it.

kerem commented

2026-03-12 22:53:42 +03:00

Author

Owner

@0xJacky commented on GitHub (Aug 2, 2025):

Added in 38ee12f, you can now use a certificate provider like ZeroSSL

@0xJacky commented on GitHub (Aug 2, 2025): Added in [38ee12f](https://github.com/0xJacky/nginx-ui/commit/38ee12f587dc807d65dcbf15cf8367d79c654d74), you can now use a certificate provider like ZeroSSL