On 2020/11/06 11:54, K R wrote: > Hey Stuart, > > It worked, many thanks! > > I've read the acme-client manpage many times and it wasn't clear that > acme-client will use an existing key, if present. Perhaps adding this > information to the manpage, including ssl(8) in the SEE ALSO section, could > help others as well.
It was probably clearer earlier when acme-client required a pre-generated key unless a command line flag was given, which was later changed to the default. Maybe this would help.. Index: acme-client.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v retrieving revision 1.26 diff -u -p -r1.26 acme-client.conf.5 --- acme-client.conf.5 14 Sep 2020 16:00:17 -0000 1.26 +++ acme-client.conf.5 6 Nov 2020 15:19:44 -0000 @@ -138,6 +138,12 @@ or .Cm ecdsa . It defaults to .Cm rsa . +If the key file does not exist, +.Nm +will generate a key itself (4096-bit for +.Cm rsa +or secp384r1 for +.Cm ecdsa ) . .It Ic domain certificate Ar file The filename of the certificate that will be issued. This is optional if > Thanks again, > --K > > On Thu, Nov 5, 2020 at 7:04 AM Stuart Henderson <s...@spacehopper.org> wrote: > > > Generate your own key if you want a specific type of curve, same as if you > > want a specific key length with RSA. See "GENERATING ECDSA SERVER > > CERTIFICATES" in ssl(8) and set things to use one of the curves allowed by > > the CA. acme-client will use your own key if it already exists otherwise it > > will create a new 4096-bit RSA key or secp384r1 ECDSA key by default. > > > > -- > > Sent from a phone, apologies for poor formatting. > > > > > > On 4 November 2020 20:29:57 K R <daharmaster...@gmail.com> wrote: > > > > Synopsis: acme-client won't work with buypass.com ECDSA domain keys > >>> Category: system sparc64 > >>> Environment: > >>> > >> System : OpenBSD 6.8 > >> Details : OpenBSD 6.8 (GENERIC) #477: Sun Oct 4 20:36:17 MDT > >> 2020 > >> dera...@sparc64.openbsd.org: > >> /usr/src/sys/arch/sparc64/compile/GENERIC > >> > >> Architecture: OpenBSD.sparc64 > >> Machine : sparc64 > >> > >>> Description: > >>> > >> > >> When using an ecdsa domain key with buypass.com, acme-client > >> receives this error: > >> > >> "Curve is not of type secp256r1 or prime256v1" > >> > >> How-To-Repeat: > >>> > >> > >> With the following conf, the error below is shown: > >> > >> ------------------------------------------------------------------------ > >> domain example.org { > >> alternative names { www.example.org } > >> domain key "/etc/ssl/private/example.org.key" ecdsa > >> domain full chain certificate "/etc/ssl/example.org.fullchain.pem" > >> sign with buypass > >> } > >> ------------------------------------------------------------------------ > >> server# acme-client -v example.org > >> acme-client: https://api.buypass.com/acme/directory: directories > >> acme-client: api.buypass.com: DNS: 185.62.162.162 > >> acme-client: > >> > >> https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize > >> : > >> certificate > >> acme-client: > >> > >> https://api.buypass.com/acme/order/-VX9VLMpbD5HUKIR39u0bE4Dvk-U15VWUi9lO406Lxo/finalize > >> : > >> bad HTTP: 400 > >> acme-client: transfer buffer: > >> [{"type":"urn:ietf:params:acme:error:malformed","detail":"Curve is not of > >> type secp256r1 or > >> prime256v1","code":400,"message":"MALFORMED_BAD_REQUEST","details":"HTTP > >> 400 Bad Request"}] (181 bytes) > >> acme-client: bad exit: netproc(9045): 1 > >> ------------------------------------------------------------------------ > >> > >>> Fix: > >>> > >> Unknown. > >> > >> -EOF > >> > > > >