ACME 0.6.3 Changing domain key size on existing entry (renew)



  • Hi,
    I tryed to change key size on existing domain cert, but it did not work. Is it possible to add key size field to acme.sh renew call?

    Inicial key size = 4096
    This is the first call (Issue):

    /usr/local/pkg/acme/acme.sh --home '/tmp/acme/sub.domain.org/' --accountconf '/tmp/acme/sub.domain.org/accountconf.conf' --createDomainKey -d '*.sub.domain.org' --keylength '4096' --log-level 3 --log '/tmp/acme/sub.domain.org/acme_createdomainkey.log'
    

    I was edited entry and set the key size to 2048.
    This is the second call (Renew):

    /usr/local/pkg/acme/acme.sh --issue -d '*.sub.domain.org' --dns 'dns_nsupdate' --home '/tmp/acme/sub.domain.org/' --accountconf '/tmp/acme/sub.domain.org/accountconf.conf' --force --reloadCmd '/tmp/acme/sub.domain.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/sub.domain.org/acme_issuecert.log'
    

    And the new key size is 4096 bytes.

    When I call it manually all works fine:

    /usr/local/pkg/acme/acme.sh --issue -d '*.sub.domain.org' --keylength '2048' --dns 'dns_nsupdate' --home '/tmp/acme/sub.domain.org/' --accountconf '/tmp/acme/sub.domain.org/accountconf.conf' --force --reloadCmd '/tmp/acme/sub.domain.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/sub.domain.org/acme_issuecert.log'
    

    And after than standart renew without the key size work fine with the last key size (2048).

    So if add --keylength 'xxxx' parameter to renew call permanetly all will work fine. Is it possible in future relases? Or some patch maybe?

    Thanks in advance!


Log in to reply