On 2020/11/06 11:54, K R wrote:
> Hey Stuart,
>
> It worked, many thanks!
>
> I've read the acme-client manpage many times and it wasn't clear that
> acme-client will use an existing key, if present. Perhaps adding this
> information to the manpage, including ssl(8) in the SEE ALSO section, could
> help others as well.
It was probably clearer earlier when acme-client required a pre-generated
key unless a command line flag was given, which was later changed to the
default.
Maybe this would help..
Index: acme-client.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
retrieving revision 1.26
diff -u -p -r1.26 acme-client.conf.5
--- acme-client.conf.5 14 Sep 2020 16:00:17 -0000 1.26
+++ acme-client.conf.5 6 Nov 2020 15:19:44 -0000
@@ -138,6 +138,12 @@ or
.Cm ecdsa .
It defaults to
.Cm rsa .
+If the key file does not exist,
+.Nm
+will generate a key itself (4096-bit for
+.Cm rsa
+or secp384r1 for
+.Cm ecdsa ) .
.It Ic domain certificate Ar file
The filename of the certificate that will be issued.
This is optional if
> Thanks again,
> --K
>
> On Thu, Nov 5, 2020 at 7:04 AM Stuart Henderson <s...@spacehopper.org> wrote:
>
> > Generate your own key if you want a specific type of curve, same as if you
> > want a specific key length with RSA. See "GENERATING ECDSA SERVER
> > CERTIFICATES" in ssl(8) and set things to use one of the curves allowed by
> > the CA. acme-client will use your own key if it already exists otherwise it
> > will create a new 4096-bit RSA key or secp384r1 ECDSA key by default.
> >
> > --
> > Sent from a phone, apologies for poor formatting.
> >
> >
> > On 4 November 2020 20:29:57 K R <daharmaster...@gmail.com> wrote:
> >
> > Synopsis: acme-client won't work with buypass.com ECDSA domain keys
> >>> Category: system sparc64
> >>> Environment:
> >>>
> >> System : OpenBSD 6.8
> >> Details : OpenBSD 6.8 (GENERIC) #477: Sun Oct 4 20:36:17 MDT
> >> 2020
> >> dera...@sparc64.openbsd.org:
> >> /usr/src/sys/arch/sparc64/compile/GENERIC
> >>
> >> Architecture: OpenBSD.sparc64
> >> Machine : sparc64
> >>
> >>> Description:
> >>>
> >>
> >> When using an ecdsa domain key with buypass.com, acme-client
> >> receives this error:
> >>
> >> "Curve is not of type secp256r1 or prime256v1"
> >>
> >> How-To-Repeat:
> >>>
> >>
> >> With the following conf, the error below is shown:
> >>
> >> ------------------------------------------------------------------------
> >> domain example.org {
> >> alternative names { www.example.org }
> >> domain key "/etc/ssl/private/example.org.key" ecdsa
> >> domain full chain certificate "/etc/ssl/example.org.fullchain.pem"
> >> sign with buypass
> >> }
> >> ------------------------------------------------------------------------
> >> server# acme-client -v example.org
> >> acme-client: https://api.buypass.com/acme/directory: directories
> >> acme-client: api.buypass.com: DNS: 185.62.162.162
> >> acme-client:
> >>
> >> https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize
> >> :
> >> certificate
> >> acme-client:
> >>
> >> https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize
> >> :
> >> bad HTTP: 400
> >> acme-client: transfer buffer:
> >> [{"type":"urn:ietf:params:acme:error:malformed","detail":"Curve is not of
> >> type secp256r1 or
> >> prime256v1","code":400,"message":"MALFORMED_BAD_REQUEST","details":"HTTP
> >> 400 Bad Request"}] (181 bytes)
> >> acme-client: bad exit: netproc(9045): 1
> >> ------------------------------------------------------------------------
> >>
> >>> Fix:
> >>>
> >> Unknown.
> >>
> >> -EOF
> >>
> >
> >
