On Fri, Nov 6, 2020 at 12:19 PM Stuart Henderson <[email protected]> wrote:
> On 2020/11/06 11:54, K R wrote: > > Hey Stuart, > > > > It worked, many thanks! > > > > I've read the acme-client manpage many times and it wasn't clear that > > acme-client will use an existing key, if present. Perhaps adding this > > information to the manpage, including ssl(8) in the SEE ALSO section, > could > > help others as well. > > It was probably clearer earlier when acme-client required a pre-generated > key unless a command line flag was given, which was later changed to the > default. > > Maybe this would help.. > > Index: acme-client.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v > retrieving revision 1.26 > diff -u -p -r1.26 acme-client.conf.5 > --- acme-client.conf.5 14 Sep 2020 16:00:17 -0000 1.26 > +++ acme-client.conf.5 6 Nov 2020 15:19:44 -0000 > @@ -138,6 +138,12 @@ or > .Cm ecdsa . > It defaults to > .Cm rsa . > +If the key file does not exist, > +.Nm > +will generate a key itself (4096-bit for > +.Cm rsa > +or secp384r1 for > +.Cm ecdsa ) . > Looks great to me! Thanks! --K .It Ic domain certificate Ar file > The filename of the certificate that will be issued. > This is optional if > > > Thanks again, > > --K > > > > On Thu, Nov 5, 2020 at 7:04 AM Stuart Henderson <[email protected]> > wrote: > > > > > Generate your own key if you want a specific type of curve, same as if > you > > > want a specific key length with RSA. See "GENERATING ECDSA SERVER > > > CERTIFICATES" in ssl(8) and set things to use one of the curves > allowed by > > > the CA. acme-client will use your own key if it already exists > otherwise it > > > will create a new 4096-bit RSA key or secp384r1 ECDSA key by default. > > > > > > -- > > > Sent from a phone, apologies for poor formatting. > > > > > > > > > On 4 November 2020 20:29:57 K R <[email protected]> wrote: > > > > > > Synopsis: acme-client won't work with buypass.com ECDSA domain > keys > > >>> Category: system sparc64 > > >>> Environment: > > >>> > > >> System : OpenBSD 6.8 > > >> Details : OpenBSD 6.8 (GENERIC) #477: Sun Oct 4 20:36:17 > MDT > > >> 2020 > > >> [email protected]: > > >> /usr/src/sys/arch/sparc64/compile/GENERIC > > >> > > >> Architecture: OpenBSD.sparc64 > > >> Machine : sparc64 > > >> > > >>> Description: > > >>> > > >> > > >> When using an ecdsa domain key with buypass.com, acme-client > > >> receives this error: > > >> > > >> "Curve is not of type secp256r1 or prime256v1" > > >> > > >> How-To-Repeat: > > >>> > > >> > > >> With the following conf, the error below is shown: > > >> > > >> > ------------------------------------------------------------------------ > > >> domain example.org { > > >> alternative names { www.example.org } > > >> domain key "/etc/ssl/private/example.org.key" ecdsa > > >> domain full chain certificate "/etc/ssl/example.org > .fullchain.pem" > > >> sign with buypass > > >> } > > >> > ------------------------------------------------------------------------ > > >> server# acme-client -v example.org > > >> acme-client: https://api.buypass.com/acme/directory: directories > > >> acme-client: api.buypass.com: DNS: 185.62.162.162 > > >> acme-client: > > >> > > >> > https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize > > >> : > > >> certificate > > >> acme-client: > > >> > > >> > https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize > > >> : > > >> bad HTTP: 400 > > >> acme-client: transfer buffer: > > >> [{"type":"urn:ietf:params:acme:error:malformed","detail":"Curve is > not of > > >> type secp256r1 or > > >> > prime256v1","code":400,"message":"MALFORMED_BAD_REQUEST","details":"HTTP > > >> 400 Bad Request"}] (181 bytes) > > >> acme-client: bad exit: netproc(9045): 1 > > >> > ------------------------------------------------------------------------ > > >> > > >>> Fix: > > >>> > > >> Unknown. > > >> > > >> -EOF > > >> > > > > > > >
