feat: wire ACME EAB into account registration + ZeroSSL auto-fetch

EAB credentials (KID + HMAC) were defined in the ACME connector config
but never wired into the acme.Account registration call. This fixes the
dead code and adds automatic EAB credential fetching for ZeroSSL — when
the directory URL is detected as ZeroSSL and no EAB credentials are
provided, certctl calls ZeroSSL's public API to get them automatically.

Changes:
- Wire EABKid/EABHmac into acme.Account.ExternalAccountBinding
- Add isZeroSSL() detection and fetchZeroSSLEAB() auto-fetch
- Add CERTCTL_ACME_EAB_KID/CERTCTL_ACME_EAB_HMAC env vars to main.go
- Add 13 ACME connector tests (config validation, EAB decode, ZeroSSL
  auto-EAB with mock servers, URL detection)
- Update docs: README, architecture, connectors, demo-advanced,
  testing-guide with EAB/auto-EAB documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/issuer/acme/acme.go

@@ -6,12 +6,16 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"log/slog"
 	"net"
 	"net/http"
+	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -201,6 +205,33 @@ func (c *Connector) ensureClient(ctx context.Context) error {
 	acct := &acme.Account{
 		Contact: []string{"mailto:" + c.config.Email},
 	}
+
+	// Auto-fetch EAB credentials from ZeroSSL if directory URL is ZeroSSL and no EAB provided.
+	// ZeroSSL offers a public endpoint that returns EAB credentials given an email address,
+	// so users don't need to visit the ZeroSSL dashboard manually.
+	if c.config.EABKid == "" && c.config.EABHmac == "" && isZeroSSL(c.config.DirectoryURL) {
+		kid, hmac, eabErr := fetchZeroSSLEAB(ctx, c.config.Email)
+		if eabErr != nil {
+			return fmt.Errorf("failed to auto-fetch ZeroSSL EAB credentials: %w", eabErr)
+		}
+		c.config.EABKid = kid
+		c.config.EABHmac = hmac
+		c.logger.Info("auto-fetched EAB credentials from ZeroSSL", "eab_kid", kid)
+	}
+
+	// External Account Binding (required by ZeroSSL, Google Trust Services, SSL.com, etc.)
+	if c.config.EABKid != "" && c.config.EABHmac != "" {
+		hmacKey, decodeErr := base64.RawURLEncoding.DecodeString(c.config.EABHmac)
+		if decodeErr != nil {
+			return fmt.Errorf("failed to decode EAB HMAC key (expected base64url): %w", decodeErr)
+		}
+		acct.ExternalAccountBinding = &acme.ExternalAccountBinding{
+			KID: c.config.EABKid,
+			Key: hmacKey,
+		}
+		c.logger.Info("using External Account Binding for ACME registration", "eab_kid", c.config.EABKid)
+	}
+
 	_, err = c.client.Register(ctx, acct, acme.AcceptTOS)
 	if err != nil {
 		// Account may already exist, try to get it
@@ -216,6 +247,67 @@ func (c *Connector) ensureClient(ctx context.Context) error {
 	return nil
 }
 
+// zeroSSLEABEndpoint is the ZeroSSL API endpoint for auto-generating EAB credentials.
+// Variable (not const) to allow test overrides.
+var zeroSSLEABEndpoint = "https://api.zerossl.com/acme/eab-credentials-email"
+
+// isZeroSSL returns true if the ACME directory URL points to ZeroSSL.
+func isZeroSSL(directoryURL string) bool {
+	return strings.Contains(strings.ToLower(directoryURL), "zerossl.com")
+}
+
+// fetchZeroSSLEAB retrieves EAB credentials from ZeroSSL's public API endpoint.
+// ZeroSSL provides this so users don't need to visit the dashboard manually.
+// Returns (kid, hmac_key, error). The HMAC key is already base64url-encoded.
+func fetchZeroSSLEAB(ctx context.Context, email string) (string, string, error) {
+	if email == "" {
+		return "", "", fmt.Errorf("email is required for ZeroSSL EAB auto-fetch")
+	}
+
+	form := url.Values{"email": {email}}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, zeroSSLEABEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return "", "", fmt.Errorf("create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	client := &http.Client{Timeout: 15 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", "", fmt.Errorf("read response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("ZeroSSL API returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result struct {
+		Success  bool   `json:"success"`
+		EABKid   string `json:"eab_kid"`
+		EABHmac  string `json:"eab_hmac_key"`
+		ErrorMsg string `json:"error"`
+	}
+	if err := json.Unmarshal(body, &result); err != nil {
+		return "", "", fmt.Errorf("parse response: %w", err)
+	}
+
+	if !result.Success || result.EABKid == "" || result.EABHmac == "" {
+		errDetail := result.ErrorMsg
+		if errDetail == "" {
+			errDetail = string(body)
+		}
+		return "", "", fmt.Errorf("ZeroSSL EAB generation failed: %s", errDetail)
+	}
+
+	return result.EABKid, result.EABHmac, nil
+}
+
 // IssueCertificate submits a certificate issuance request to the ACME CA.
 //
 // Flow:

internal/connector/issuer/acme/acme_test.go

@@ -0,0 +1,264 @@
+package acme
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+)
+
+func testLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError}))
+}
+
+func TestValidateConfig_MissingDirectoryURL(t *testing.T) {
+	c := New(nil, testLogger())
+	cfg, _ := json.Marshal(map[string]string{"email": "test@example.com"})
+	err := c.ValidateConfig(context.Background(), cfg)
+	if err == nil || !strings.Contains(err.Error(), "directory_url is required") {
+		t.Fatalf("expected directory_url error, got: %v", err)
+	}
+}
+
+func TestValidateConfig_MissingEmail(t *testing.T) {
+	c := New(nil, testLogger())
+	cfg, _ := json.Marshal(map[string]string{"directory_url": "https://example.com/directory"})
+	err := c.ValidateConfig(context.Background(), cfg)
+	if err == nil || !strings.Contains(err.Error(), "email is required") {
+		t.Fatalf("expected email error, got: %v", err)
+	}
+}
+
+func TestValidateConfig_InvalidChallengeType(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"newNonce":"","newAccount":"","newOrder":""}`)
+	}))
+	defer srv.Close()
+
+	c := New(nil, testLogger())
+	cfg, _ := json.Marshal(map[string]string{
+		"directory_url":  srv.URL,
+		"email":          "test@example.com",
+		"challenge_type": "invalid-challenge",
+	})
+	err := c.ValidateConfig(context.Background(), cfg)
+	if err == nil || !strings.Contains(err.Error(), "invalid challenge_type") {
+		t.Fatalf("expected invalid challenge_type error, got: %v", err)
+	}
+}
+
+func TestValidateConfig_Success(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"newNonce":"","newAccount":"","newOrder":""}`)
+	}))
+	defer srv.Close()
+
+	c := New(nil, testLogger())
+	cfg, _ := json.Marshal(map[string]string{
+		"directory_url": srv.URL,
+		"email":         "test@example.com",
+	})
+	err := c.ValidateConfig(context.Background(), cfg)
+	if err != nil {
+		t.Fatalf("expected success, got: %v", err)
+	}
+}
+
+func TestValidateConfig_EABFieldsPreserved(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"newNonce":"","newAccount":"","newOrder":""}`)
+	}))
+	defer srv.Close()
+
+	c := New(nil, testLogger())
+	cfg, _ := json.Marshal(map[string]string{
+		"directory_url": srv.URL,
+		"email":         "test@example.com",
+		"eab_kid":       "kid-12345",
+		"eab_hmac":      base64.RawURLEncoding.EncodeToString([]byte("test-hmac-key")),
+	})
+	err := c.ValidateConfig(context.Background(), cfg)
+	if err != nil {
+		t.Fatalf("expected success, got: %v", err)
+	}
+	if c.config.EABKid != "kid-12345" {
+		t.Fatalf("expected EABKid to be preserved, got: %s", c.config.EABKid)
+	}
+	if c.config.EABHmac == "" {
+		t.Fatal("expected EABHmac to be preserved")
+	}
+}
+
+func TestEnsureClient_EABDecodeError(t *testing.T) {
+	c := New(&Config{
+		DirectoryURL: "https://acme.example.com/directory",
+		Email:        "test@example.com",
+		EABKid:       "kid-12345",
+		EABHmac:      "!!!not-valid-base64url!!!",
+	}, testLogger())
+
+	err := c.ensureClient(context.Background())
+	if err == nil || !strings.Contains(err.Error(), "decode EAB HMAC") {
+		t.Fatalf("expected EAB decode error, got: %v", err)
+	}
+}
+
+func TestEnsureClient_EABBindingSet(t *testing.T) {
+	// We can't fully mock the ACME protocol (JWS nonce exchange), but we can
+	// verify that valid EAB credentials are decoded and attached to the account
+	// without panicking. The ensureClient call will fail at the network level
+	// (no real ACME server), but it must NOT fail at EAB decoding.
+	hmacKey := base64.RawURLEncoding.EncodeToString([]byte("test-hmac-secret-key"))
+	c := New(&Config{
+		DirectoryURL: "https://127.0.0.1:1/directory", // unreachable — that's fine
+		Email:        "test@example.com",
+		EABKid:       "kid-zerossl-12345",
+		EABHmac:      hmacKey,
+	}, testLogger())
+
+	err := c.ensureClient(context.Background())
+	// Expected: network error (unreachable server), NOT an EAB decode error
+	if err != nil && strings.Contains(err.Error(), "decode EAB HMAC") {
+		t.Fatalf("EAB decode should not fail with valid base64url key, got: %v", err)
+	}
+	// We expect some error (network unreachable) — that's correct
+	if err == nil {
+		t.Log("ensureClient succeeded (unexpected but not a failure for this test)")
+	}
+}
+
+// --- ZeroSSL auto-EAB tests ---
+
+func TestIsZeroSSL(t *testing.T) {
+	tests := []struct {
+		url    string
+		expect bool
+	}{
+		{"https://acme.zerossl.com/v2/DV90", true},
+		{"https://ACME.ZEROSSL.COM/v2/DV90", true},
+		{"https://acme-v02.api.letsencrypt.org/directory", false},
+		{"https://acme.example.com/directory", false},
+		{"", false},
+	}
+	for _, tt := range tests {
+		if got := isZeroSSL(tt.url); got != tt.expect {
+			t.Errorf("isZeroSSL(%q) = %v, want %v", tt.url, got, tt.expect)
+		}
+	}
+}
+
+func TestFetchZeroSSLEAB_Success(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Errorf("expected POST, got %s", r.Method)
+		}
+		if ct := r.Header.Get("Content-Type"); ct != "application/x-www-form-urlencoded" {
+			t.Errorf("expected form content-type, got %s", ct)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatal(err)
+		}
+		if email := r.FormValue("email"); email != "test@example.com" {
+			t.Errorf("expected email test@example.com, got %s", email)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"success":true,"eab_kid":"kid_abc123","eab_hmac_key":"dGVzdC1obWFjLWtleQ"}`)
+	}))
+	defer srv.Close()
+
+	// Override the endpoint for testing
+	origEndpoint := zeroSSLEABEndpoint
+	defer func() { zeroSSLEABEndpoint = origEndpoint }()
+	zeroSSLEABEndpoint = srv.URL
+
+	kid, hmac, err := fetchZeroSSLEAB(context.Background(), "test@example.com")
+	if err != nil {
+		t.Fatalf("expected success, got: %v", err)
+	}
+	if kid != "kid_abc123" {
+		t.Errorf("expected kid_abc123, got %s", kid)
+	}
+	if hmac != "dGVzdC1obWFjLWtleQ" {
+		t.Errorf("expected dGVzdC1obWFjLWtleQ, got %s", hmac)
+	}
+}
+
+func TestFetchZeroSSLEAB_EmptyEmail(t *testing.T) {
+	_, _, err := fetchZeroSSLEAB(context.Background(), "")
+	if err == nil || !strings.Contains(err.Error(), "email is required") {
+		t.Fatalf("expected email required error, got: %v", err)
+	}
+}
+
+func TestFetchZeroSSLEAB_APIError(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusBadRequest)
+		fmt.Fprint(w, `{"success":false,"error":"invalid email"}`)
+	}))
+	defer srv.Close()
+
+	origEndpoint := zeroSSLEABEndpoint
+	defer func() { zeroSSLEABEndpoint = origEndpoint }()
+	zeroSSLEABEndpoint = srv.URL
+
+	_, _, err := fetchZeroSSLEAB(context.Background(), "bad@example.com")
+	if err == nil || !strings.Contains(err.Error(), "status 400") {
+		t.Fatalf("expected API error, got: %v", err)
+	}
+}
+
+func TestFetchZeroSSLEAB_MissingCredentials(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"success":false,"error":"rate limited"}`)
+	}))
+	defer srv.Close()
+
+	origEndpoint := zeroSSLEABEndpoint
+	defer func() { zeroSSLEABEndpoint = origEndpoint }()
+	zeroSSLEABEndpoint = srv.URL
+
+	_, _, err := fetchZeroSSLEAB(context.Background(), "test@example.com")
+	if err == nil || !strings.Contains(err.Error(), "EAB generation failed") {
+		t.Fatalf("expected EAB generation failed error, got: %v", err)
+	}
+}
+
+func TestEnsureClient_ZeroSSLAutoEAB(t *testing.T) {
+	// Mock ZeroSSL EAB endpoint
+	eabSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"success":true,"eab_kid":"auto-kid-123","eab_hmac_key":"dGVzdC1obWFjLWtleQ"}`)
+	}))
+	defer eabSrv.Close()
+
+	origEndpoint := zeroSSLEABEndpoint
+	defer func() { zeroSSLEABEndpoint = origEndpoint }()
+	zeroSSLEABEndpoint = eabSrv.URL
+
+	// Use an unreachable ACME directory — we only care that auto-EAB fetch happens
+	c := New(&Config{
+		DirectoryURL: "https://acme.zerossl.com/v2/DV90",
+		Email:        "test@example.com",
+		// EABKid and EABHmac intentionally empty — should auto-fetch
+	}, testLogger())
+
+	err := c.ensureClient(context.Background())
+	// Will fail at ACME protocol level (unreachable ZeroSSL directory), but
+	// EAB credentials should have been auto-fetched and set on config
+	if c.config.EABKid != "auto-kid-123" {
+		t.Errorf("expected auto-fetched EABKid, got: %s (err: %v)", c.config.EABKid, err)
+	}
+	if c.config.EABHmac != "dGVzdC1obWFjLWtleQ" {
+		t.Errorf("expected auto-fetched EABHmac, got: %s", c.config.EABHmac)
+	}
+}