Hello! When I compiled and attempted to use the acme-proxy (on 7f7f416) I ran into a minor incompatibility with Sectigo's "Universal ACME" and the default ca.json that was provided with the repo.
If I leave it to it's default 30, Sectigo's server responds with the error:
[root@acme acme]# ./acme-proxy ca.json
2026/04/02 23:12:11 Building new tls configuration using step-ca x509 Signer Interface
2026/04/02 23:12:11 [INFO] acme: Registering account for <email_scrubbed>
2026/04/02 23:12:12 INFO processing certificate request domains=[<acme_proxy>]
2026/04/02 23:12:12 [INFO] [<acme_proxy>] acme: Obtaining bundled SAN certificate given a CSR
authority.GetTLSCertificate: failed to obtain certificate: acme: error: 400 :: POST :: https://acme.enterprise.sectigo.com/new-order :: urn:sectigo:error:invalidRequestForProvider :: invalid order for provider 'scm': can not issue certificates with specific 'notBefore' or 'notAfter' dates
However, If I remove the line specifying the certlifetime, then it works fine:
2026/04/02 23:13:23 Building new tls configuration using step-ca x509 Signer Interface
2026/04/02 23:13:23 [INFO] acme: Registering account for <email_scrubbed>
2026/04/02 23:13:24 INFO processing certificate request domains=[<acme_proxy>]
2026/04/02 23:13:24 [INFO] [<acme_proxy>] acme: Obtaining bundled SAN certificate given a CSR
2026/04/02 23:13:29 [INFO] [<acme_proxy>] AuthURL: https://acme.enterprise.sectigo.com/authorization/<scrubbed>/0/always-valid
2026/04/02 23:13:29 [INFO] [<acme_proxy>] acme: authorization already valid; skipping challenge
2026/04/02 23:13:29 [INFO] [<acme_proxy>] acme: Validations succeeded; requesting certificates
2026/04/02 23:13:35 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2026/04/02 23:14:02 [INFO] [<acme_proxy>] Server responded with a certificate.
2026/04/02 23:14:02 INFO obtained certificate from external CA domains=[<acme_proxy>]
2026/04/02 23:14:02 Starting Smallstep CA/0000000-dev (linux/amd64)
2026/04/02 23:14:02 Documentation: https://u.step.sm/docs/ca
2026/04/02 23:14:02 Community Discord: https://u.step.sm/discord
2026/04/02 23:14:02 Config file: ca.json
2026/04/02 23:14:02 The primary server URL is https://<acme_proxy>:443
2026/04/02 23:14:02 Root certificates are available at https://<acme_proxy>:443/roots.pem
2026/04/02 23:14:02 Serving HTTPS on :443 ...
It seems that for this ACME provider it's best to not specify a lifetime at all in the request.
Hello! When I compiled and attempted to use the
acme-proxy(on 7f7f416) I ran into a minor incompatibility with Sectigo's "Universal ACME" and the defaultca.jsonthat was provided with the repo.If I leave it to it's default
30, Sectigo's server responds with the error:However, If I remove the line specifying the
certlifetime, then it works fine:It seems that for this ACME provider it's best to not specify a lifetime at all in the request.