EAB credentials for acme account creation

[baltazartroisville]

Is your feature request related to a problem? Please describe.
Some ACME providers require the registration with credentials named EAB, external account binding. Right now Nginx-UI does not allow this so this providers (for example zerossl) cannot be used.

Describe the solution you'd like
Two additional optional text input boxes on the acme provider registration page for key ID (kid) and HMAC key (hmacKey). And the logic working with the input of course. EAB takes place in the acme new account creation phase, not in the certificate request afterwards.

Describe alternatives you've considered
Use LetsEncrypt.

Additional context

• EAB is a published standard under RFC8555: https://www.rfc-editor.org/rfc/rfc8555#section-7.3.4
• Additional shorter explanation: https://cert-manager.io/docs/configuration/acme/#external-account-bindings
• Afaik the GO acme.client does not natively support EAB, but lego and certmanager have implemented it. So the externalAccountBinding object has to be build manually and then included in the account registration request

Steps (if i understood correctly):

1. get kid and hmacKey from provider
2. generate RSA or EC keypair
3. build eab JWS (json web signature) object
   • payload is acme account JWK (json web key) - public part from keypair
   • algorithm, keyID (kid) and CADir endpoint URL as header
   • sign with base64url-encoded HMAC key
4. POST to endpoint URL with externalAccountBinding field in account registration payload

Thank you to anyone who puts hard work in nginx-ui! ❤️

[0xJacky]

Sure. If Lego has the capability to achieve this function, I will attempt to implement it.

[0xJacky]

Added in 38ee12f, you can now use a certificate provider like ZeroSSL