[Q] ACME giving a 2048 key instead of 4096
When you set the key size to 4096, it gives you a 2048 instead.
Is this a bug or what might be the problem?
PFsense (2.4.3-DEVELOPMENT (amd64) built on Fri Dec 22 17:44:26 CST 2017 ) ACME 0.1.30 haproxy 0.54_2
Haproxy SSL config:
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
Could it be you changed the keysize after already creating the same certificate before?
I just tried to create a (new) cert with 4096 keysize inside acme package and that seemed to work fine.
If there is a problem its probably on the acme side. haproxy wont change the keysize on a cert, also you can double check in System\CertificateManager and download the cert there. It should also be 2048 in your current case. So haproxy using that cert wont have any other option than to present what was available from the CertificateManager..
Thanks for the feedback.
I downloaded the the certificate in the cert manager and it says 2048 aswell.
I noticed that for some weird reason after I tried out the DNS NS update option, it now shows: "Key Type: Host Key, Key Algorithm: HMAC-MD5" on all keys like this:
…even when creating a new domains....
Maybe I should try and reinstall it and clean up the old files in /tmp?
Hostkey and keyalgo would be coming from 'old' settings that are now hidden in the edit view but still present in the configuration.. They are harmless, to get rid of them just add a new SAN list item, instead of cloning the existing one? Then manually take over the required information and remove the previous one.
Reinstalling the package wont help, it doesn't (and shouldn't) clear all configuration settings when removed..
I am seeing same issue in 2.6.0-RELEASE with ACME 0.7.3 package.
Provider is Cloudflare in DNS domain alias mode.
Generating cert using 256/384 ECDSA key works, but even after switching to RSA 4096 still gives 2048 bit key cert.