Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme error: Invalid key in certificate request :: ECDSA curve P-521 not allowed

    Scheduled Pinned Locked Moved
    ACME
    2
    2
    936
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yellowbrick
      last edited by

      Hello,

      I am getting an error with the acme package and Cloudflare dns validation. The validation is able to create the correct TXT record, but the certificate is not generated as it fails with the above error. Details of the error are:

      
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[CF_Key] => [ … ]
[CF_Email] => [ … ]
)
[Thu May 11 21:36:03 BST 2017] Registering account
[Thu May 11 21:36:06 BST 2017] Already registered
[Thu May 11 21:36:08 BST 2017] Update success.
[Thu May 11 21:36:08 BST 2017] ACCOUNT_THUMBPRINT=‘…’
[Thu May 11 21:36:08 BST 2017] Single domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:08 BST 2017] Getting domain auth token for each domain
[Thu May 11 21:36:08 BST 2017] Getting webroot for domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:08 BST 2017] Getting new-authz for domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:10 BST 2017] The new-authz request is ok.
[Thu May 11 21:36:10 BST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
[Thu May 11 21:36:14 BST 2017] Adding record
[Thu May 11 21:36:14 BST 2017] Added, OK
[Thu May 11 21:36:14 BST 2017] Sleep 120 seconds for the txt records to take effect
[Thu May 11 21:36:44 BST 2017] Verifying:aaa.bbb.ccc.net
[Thu May 11 21:36:48 BST 2017] Success
[Thu May 11 21:36:48 BST 2017] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
[Thu May 11 21:36:50 BST 2017] Don't need to remove.
[Thu May 11 21:36:53 BST 2017] Verify finished, start to sign.
[Thu May 11 21:36:54 BST 2017] Sign failed: "detail":"Invalid key in certificate request :: ECDSA curve P-521 not allowed"
[Thu May 11 21:36:54 BST 2017] Please check log file for more details: /tmp/acme/aaa.bbb.ccc.net/acme_issuecert.log

      Actual host/domain name changed above.

      This occurs no matter what certificate type I choose (RSA 2048, 4096, p-256), etc.

      I am running 2.3.4 on a SG-2440.

      What is causing this?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Check the log it mentions in that last line of the output you pasted. It may have more info.

        I haven't tried making EC certs in ACME, mostly 2048-bit certs and those have always been OK.

        You could delete both the cert entry and the account key and generate/register new entries to start over.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post