• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Acme error: Invalid key in certificate request :: ECDSA curve P-521 not allowed

Scheduled Pinned Locked Moved ACME
2 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yellowbrick
    last edited by May 14, 2017, 4:33 PM May 14, 2017, 10:53 AM

    Hello,

    I am getting an error with the acme package and Cloudflare dns validation. The validation is able to create the correct TXT record, but the certificate is not generated as it fails with the above error. Details of the error are:

    
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[CF_Key] => [ … ]
[CF_Email] => [ … ]
)
[Thu May 11 21:36:03 BST 2017] Registering account
[Thu May 11 21:36:06 BST 2017] Already registered
[Thu May 11 21:36:08 BST 2017] Update success.
[Thu May 11 21:36:08 BST 2017] ACCOUNT_THUMBPRINT=‘…’
[Thu May 11 21:36:08 BST 2017] Single domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:08 BST 2017] Getting domain auth token for each domain
[Thu May 11 21:36:08 BST 2017] Getting webroot for domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:08 BST 2017] Getting new-authz for domain=‘aaa.bbb.ccc.net'
[Thu May 11 21:36:10 BST 2017] The new-authz request is ok.
[Thu May 11 21:36:10 BST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
[Thu May 11 21:36:14 BST 2017] Adding record
[Thu May 11 21:36:14 BST 2017] Added, OK
[Thu May 11 21:36:14 BST 2017] Sleep 120 seconds for the txt records to take effect
[Thu May 11 21:36:44 BST 2017] Verifying:aaa.bbb.ccc.net
[Thu May 11 21:36:48 BST 2017] Success
[Thu May 11 21:36:48 BST 2017] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_cf.sh
[Thu May 11 21:36:50 BST 2017] Don't need to remove.
[Thu May 11 21:36:53 BST 2017] Verify finished, start to sign.
[Thu May 11 21:36:54 BST 2017] Sign failed: "detail":"Invalid key in certificate request :: ECDSA curve P-521 not allowed"
[Thu May 11 21:36:54 BST 2017] Please check log file for more details: /tmp/acme/aaa.bbb.ccc.net/acme_issuecert.log

    Actual host/domain name changed above.

    This occurs no matter what certificate type I choose (RSA 2048, 4096, p-256), etc.

    I am running 2.3.4 on a SG-2440.

    What is causing this?

    Thanks!

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by May 15, 2017, 3:08 PM

      Check the log it mentions in that last line of the output you pasted. It may have more info.

      I haven't tried making EC certs in ACME, mostly 2048-bit certs and those have always been OK.

      You could delete both the cert entry and the account key and generate/register new entries to start over.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received