EAB authorization with custom certificate authority

I’m using BoringProxy more and more, and am now starting to reach the Let’s Encrypt rate limits.

As a result, I would like to use a custom certificate authority (using -acme-certificate-authority), however, I cannot figure out where to put the EAB authorization.

Do I need to configure certmatic beforehand, or is there a way to include the key in the BoringProxy command line, or something else?

Any help would be much appreciated.


Hey @Martin. I’m not familiar with EAB authorization, and a quick google search didn’t clarify. Can you provide more information about what that is?

I will say, if you’re using boringproxy enough to be hitting LE rate limits, you might want to consider a more production quality tool or a custom setup. Something like Caddy + frp might be better.

Hi Anders

Thanks for getting back to me, and thanks for spending time googling :blush:

The External Account Binding is a way for ACME clients to identify themselves towards CA providers, CertMagic supports this, but I have not yet done the research. We currently use BoringProxy’s built-in ACME features with LE but want to change to ZeroSSL or something similar.

Alternatively, we may provide wildcard certificates as you have done with certgrabber (but this has also not yet been researched).

We have also considered passthrough tunneling, but many of the on-premises services we use are plain HTTP and we would like to keep our per-location deployment as slim and flexible as possible.

In case you are curious about our use case; we provide a standardised set of REST APIs that allows our customers to connect on-premises point-of-sales systems (primarily in the food and beverage industry) with different online ordering platforms, where we take care of the POS-integration part.

Each restaurant is always connected to three different data centers (for geo-redundancy), so with LE’s limit of 50 certs per week (~200 per month), we max out just below 70 locations – adding different domains into the mix will increase this number, but it will not solve the problem.

Like many other, we have previously used NGrok, but their new license policy makes that infeasible going forward – which is why I was so happy to come across BoringProxy. NGrok is a great product, but it provides a lot of functionality that we don’t need, whereas Boring Proxy fits perfectly feature-wise and has proved to be very stable in the ~50 locations we have it deployed.

So again, thanks for a great product!

Thanks for the detailed information. Glad boringproxy is useful for you. If I understand certmagic’s EAB interface correctly, you should just need something like -acme-eab-key-id and -acme-eab-mac-key added to boringproxy and then passed to certmagic. Does that sound sufficient?

Hi Anders

Sorry for not coming back in a timely fashion.

I think you are correct.

I found below code snip, which i belive outlines the logic, where I for ZeroSSL use https://acme.zerossl.com/v2/DV90

If this was something you could add, that would be pretty cool ! - I have an ZeroSSL account and EAB credentials ready :slight_smile:

import (

func main() {
    kid := "your_kid"
    hmacKey := "your_hmac_key"
    nonceSource := certmagic.NewEABNonceSource(kid, hmacKey)

    client, err := certmagic.NewACMEClient(certmagic.ACMEManager{
        DirectoryURL: "https://acme-staging-v02.api.letsencrypt.org/directory",
        Email: "you@example.com",
        AgreeToTOS: true,
        EAB: &certmagic.ExternalAccountBinding{
            Kid:         kid,
            HmacKey:     hmacKey,
            NonceSource: nonceSource,

    if err != nil {
        // Handle error

    // Use the ACME client to obtain or renew certificates
    err = client.ObtainCert("example.com", true)

    if err != nil {


So are you currently using the code above to get certs for boringproxy, similar to the way certgrabber does it?