SpipCP
Administration

SSL issuer accounts

Connect alternative certificate authorities — ZeroSSL or Actalis (ACME with EAB) and bring-your-own custom certificates — and cascade an issuer default down node → instance → domain. EAB keys and private keys never reach a node.

SSL issuers now live under Networking → SSL

This page describes the SSL issuer (CA) accounts; they live in the Networking section — Networking → SSL — next to the certificate scenarios. (Per-domain cert state is on Networking ▸ Domains.) The old Settings → SSL issuers link redirects there, so everything below still applies; it's just a new home.

Let's Encrypt is the default certificate authority and needs no account — certificates are issued automatically and for free. You add an SSL issuer account only for an authority that needs a credential:

  • ZeroSSL / Actalis (EU) — ACME issuers that require EAB (External Account Binding): a Key ID and an HMAC key from the provider's dashboard.
  • Custom — bring your own certificate: paste the certificate chain + private key (PEM). There's no ACME and no auto-renewal.

Like git accounts and DNS provider accounts, the chosen issuer account cascades node → instance → domain.

EAB keys and private keys NEVER reach a node

Every secret on an issuer account — the EAB HMAC key, and a custom cert's private key + chain — stays only in the panel, encrypted. You send it once when you add the account, and it's never shown to a client again. SpipCP uses it only to set up the certificate; it's never written to a node as a separate file and never logged. The account list shows only non-sensitive fields: name, provider, the EAB Key ID (public), and a has certificate flag.

Adding a ZeroSSL or Actalis account (ACME + EAB)

Settings → SSL issuers → Add SSL issuer account, pick the provider, and provide:

FieldMeaning
NameA label to tell accounts apart (ZeroSSL prod).
EAB Key IDThe External Account Binding key identifier (not secret).
EAB HMAC KeyThe matching HMAC key. Encrypted on arrival; never shown again.

Get EAB credentials from the provider. For ZeroSSL: Dashboard → Developer → Generate an EAB credential. For Actalis: the EAB Key ID + HMAC Key issued for your ACME account.

In SpipCP, Settings → SSL issuers → Add SSL issuer account, choose ZeroSSL or Actalis, paste the Key ID and HMAC Key, and Add account. It's tested automatically on connect.

Pick the issuer when you attach a domain (or set it as a node/instance default below). SpipCP finds the right issuer account and binds the EAB to the certificate request for you.

Adding a custom certificate account (bring-your-own PEM)

Settings → SSL issuers → Add SSL issuer account → Custom, then paste:

FieldMeaning
Certificate PEMThe full chain (leaf + intermediates), PEM-encoded.
Private key PEMThe matching private key. Encrypted on arrival; never shown again.

On upload, SpipCP reads the certificate's expiry, so the SSL dashboard and the certificate-expiry probe warn you just like they would for an ACME cert.

Custom certificates don't auto-renew

Because there's no ACME exchange, SpipCP can't renew a custom certificate. It tracks the expiry and warns you (amber within 21 days, then a probe alert). Before it lapses, Edit the account and paste a fresh PEM. Leaving the cert/key blank on Edit keeps the stored one; pasting new PEM replaces it.

Testing

The per-row Test checks the stored credential without issuing a certificate: for an EAB account it confirms the Key ID and HMAC are present and well-formed; for a custom account it checks the cert chain is valid and shows its expiry. The result appears inline and as a toast. (A live certificate is issued at attach, not here.)

Setting a default that cascades

Set an issuer account as a default so domains inherit it instead of you picking one every time. The default cascades:

LevelWhere you set itWho inherits it
NodeA node's SSL / issuer tabevery instance + domain under that node
InstanceAn instance's SSL / issuer tabevery domain on that instance
DomainThe attach wizard / domain rowjust that domain (the override)

A level left blank inherits from the one above, and the most-specific value wins: domain beats instance beats node. The issuer choice (Let's Encrypt / ZeroSSL / Actalis / custom) lives on the domain; the account (the credential) is what cascades. Plain ACME issuers (Let's Encrypt, Pebble) need no account, so they have nothing to cascade.

Deleting an account degrades to inherit, never breaks

Delete an account a node, instance, or domain pointed at and that level falls back to the one above it. If a required issuer (ZeroSSL/Actalis/custom) ends up with no account, the attach fails with a clear remedy ("configure a <provider> issuer account") rather than showing green.

Permissions

Adding, testing, editing, and removing issuer accounts — and setting node/instance defaults — is admin-only. The server enforces this on every action, whatever the UI shows.

Next steps

  • Domains & SSL — the attach flow, the issuer choices, and the SSL dashboard.
  • DNS providers — the sibling DNS-account cascade.
  • Monitoring — the certificate-expiry probe that warns before a cert lapses.

On this page