Acme error: Invalid key in certificate request :: ECDSA curve P-521 not allowed



  • Hello,

    I am getting an error with the acme package and Cloudflare dns validation. The validation is able to create the correct TXT record, but the certificate is not generated as it fails with the above error. Details of the error are:

    
    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [CF_Key] => [ … ]
    [CF_Email] => [ … ]
    )
    [Thu May 11 21:36:03 BST 2017] Registering account
    [Thu May 11 21:36:06 BST 2017] Already registered
    [Thu May 11 21:36:08 BST 2017] Update success.
    [Thu May 11 21:36:08 BST 2017] ACCOUNT_THUMBPRINT=‘…’
    [Thu May 11 21:36:08 BST 2017] Single domain=‘aaa.bbb.ccc.net'
    [Thu May 11 21:36:08 BST 2017] Getting domain auth token for each domain
    [Thu May 11 21:36:08 BST 2017] Getting webroot for domain=‘aaa.bbb.ccc.net'
    [Thu May 11 21:36:08 BST 2017] Getting new-authz for domain=‘aaa.bbb.ccc.net'
    [Thu May 11 21:36:10 BST 2017] The new-authz request is ok.
    [Thu May 11 21:36:10 BST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
    [Thu May 11 21:36:14 BST 2017] Adding record
    [Thu May 11 21:36:14 BST 2017] Added, OK
    [Thu May 11 21:36:14 BST 2017] Sleep 120 seconds for the txt records to take effect
    [Thu May 11 21:36:44 BST 2017] Verifying:aaa.bbb.ccc.net
    [Thu May 11 21:36:48 BST 2017] Success
    [Thu May 11 21:36:48 BST 2017] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
    [Thu May 11 21:36:50 BST 2017] Don't need to remove.
    [Thu May 11 21:36:53 BST 2017] Verify finished, start to sign.
    [Thu May 11 21:36:54 BST 2017] Sign failed: "detail":"Invalid key in certificate request :: ECDSA curve P-521 not allowed"
    [Thu May 11 21:36:54 BST 2017] Please check log file for more details: /tmp/acme/aaa.bbb.ccc.net/acme_issuecert.log
    
    

    Actual host/domain name changed above.

    This occurs no matter what certificate type I choose (RSA 2048, 4096, p-256), etc.

    I am running 2.3.4 on a SG-2440.

    What is causing this?

    Thanks!


  • Rebel Alliance Developer Netgate

    Check the log it mentions in that last line of the output you pasted. It may have more info.

    I haven't tried making EC certs in ACME, mostly 2048-bit certs and those have always been OK.

    You could delete both the cert entry and the account key and generate/register new entries to start over.


Log in to reply