Letsencrypt ECDSA certificates

  • Today I finished my automated letsencrypt rollout tests and I created about 60 certificates against the test (acme-staging) server. :D


    I'm using the bash script letsencrypt.sh for the certificate requests and a listener file which creates the domains.txt file for the bash script.
    The rest will be done with letsencrypt.sh -c (also the renew, if only 30 days are left) to request the certificate from the letsencrypt server.


    The entries in the i-MSCP database are made by the hook file of the bash script and then the i-MSCP request manager is called. So far all is working fine.
    :thumbsup:



    Now I started to try out with the key algorithm prime256v1 (ECDSA) instead of rsa, and i-MSCP does not allow that kind of certificates.
    I get a Invalid SSL certificate when I look at the panel after the certificate was pushed into the database.


    The private key looks different on a ECDSA certificate and I assume that is the reason why the system is not allowing it. Here an example:


    Code
    1. -----BEGIN EC PARAMETERS-----
    2. BggqhkjOPQMBBw==
    3. -----END EC PARAMETERS-----
    4. -----BEGIN EC PRIVATE KEY-----
    5. MHcCAQEEIAsscADjf3ghF703g1qicVJOzck+9hlsQx4dQRCeaniEoAoGCCqGSM49
    6. AwEHoUQDQgAE/7xTqf+h0k12Wz1vD34EyalelmRaZHCagrAssR7UCcQh+npVre+r
    7. novAhGy+qP1o1j6WOr21yZ6XZFQPPRVx/w==
    8. -----END EC PRIVATE KEY-----

    @Nuxwin
    Any plans to support that in the future?

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0

  • @mrpink


    Hmm... We are bound to PHP built-in functions for validation. I don't know if we can validate those keys. What about certificate and ca bundle? No change for them?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin


    No, they look the same like for RSA. I mean it's nothing urgent, but for the future we should think about it.

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0

  • Is this something relevant to my planned plugin? Will also the certificates generated by my plugin be invalid?

  • I assume it depends which client you use to request the certificates and what kind of key algorithm they use.
    Or maybe one could also choose this like it is on the bash script letsencrypt.sh config file.


    From the Let's Encrypt homepage:


    We are planning to generate ECDSA keys in early 2016.



    And here the upcoming features:


    ECDSA Intermediates
    ETA: Before August 1, 2016


    Let’s Encrypt only signs end-entity certificates with RSA intermediates. We will add the ability to have end-entity certs signed by an ECDSA intermediate.

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0

  • @mrpink


    Can you give me the openssl command you used to generate your ECC private key?


    Something like


    Code
    1. openssl ecparam -genkey -text -name prime256v1 -out example-ecc.key

    ?


    result such as


    Code
    1. ASN1 OID: prime256v1
    2. -----BEGIN EC PARAMETERS-----
    3. BggqhkjOPQMBBw==
    4. -----END EC PARAMETERS-----
    5. -----BEGIN EC PRIVATE KEY-----
    6. MHcCAQEEIKIzcUDvBcqV0Q6d5D7pXfD5+mo5TkjAjC5apXlKZbQLoAoGCCqGSM49
    7. AwEHoUQDQgAEkHoQ+s8PzakP+/LZCzm3scg9GxUeeRK3zTyN4pM8fAG/sn4XLW6F
    8. BUtlkUYvKlxOwGdfkCRH6SLmpveuLk5eKQ==
    9. -----END EC PRIVATE KEY-----

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0

  • @mrpink


    I'll have a look.


    Also, read please: https://bugs.php.net/bug.php?id=66501

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @mrpink


    Seem to work on my system. Please, could you send me an ECC private key, SSL cert and CA bundle ? I would test and fix.


    Edit:


    @mrpink


    Maybe I can test by following: https://msol.io/blog/tech/crea…lf-signed-ecc-certificate

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Code: privkey.pem
    1. -----BEGIN EC PARAMETERS-----BggqhkjOPQMBBw==-----END EC PARAMETERS----------BEGIN EC PRIVATE KEY-----MHcCAQEEIO+sOaD2X3lKmSYIaF0fTWbwFLa+8X5NYEB1/qsapbCOoAoGCCqGSM49AwEHoUQDQgAEzAnkaFozRAOnnAna4YHVmSW7q+nLmbEJ/jDi+JmR1deyoy3jccMFvwjDjV0bT8NUGRfPaAQlcBUMzbHq4+xBWA==-----END EC PRIVATE KEY-----
    Code: cert.pem
    1. -----BEGIN CERTIFICATE-----MIIEpzCCA4+gAwIBAgITAPpX36OVD5uyHIoWM6qItcSyRTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRoYXBweSBoYWNrZXIgZmFrZSBDQTAeFw0xNjAzMjIyMTQzMDBaFw0xNjA2MjAyMTQzMDBaME0xHDAaBgNVBAMTE2Vpc3plaXQtZXJsYW5nZW4uZGUxLTArBgNVBAUTJGZhNTdkZmEzOTUwZjliYjIxYzhhMTYzM2FhODhiNWM0YjI0NTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMwJ5GhaM0QDp5wJ2uGB1Zklu6vpy5mxCf4w4viZkdXXsqMt43HDBb8Iw41dG0/DVBkXz2gEJXAVDM2x6uPsQVijggJ3MIICczAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIbPItLz5kggX14puvFfjqQBKXNwMB8GA1UdIwQYMBaAFPt4TxL5YBWDLJ8XfzQZsy426kGJMHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RhZ2luZy14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGFnaW5nLXgxLmxldHNlbmNyeXB0Lm9yZy8weQYDVR0RBHIwcIIeYXV0b2NvbmZpZy5laXN6ZWl0LWVybGFuZ2VuLmRlgiBhdXRvZGlzY292ZXIuZWlzemVpdC1lcmxhbmdlbi5kZYITZWlzemVpdC1lcmxhbmdlbi5kZYIXd3d3LmVpc3plaXQtZXJsYW5nZW4uZGUwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAMHDqZhBwl2Sh86Sjgo1lc7TasDTK6ace/J3kbmgN2aIN/QWl6lHEytqVuS9W6MH4zFt0djNAF2Gcs+YCrqhqInqCRvu/k8j2hrRvkdJuDBJubPksSLsWGtsIFIOkK4X8+Rb9awu91AI/66Oz2fFRsdQDvooRUlcqmB/nGAdlca6WWnLtWvcM0wlZvhZgXpNg3FJrcVVDXQBEXpNgyahVKfHCSAy2Bfa6eMJvorhyLgQOTGD7XSwj9H21TjhREbNpe953pcPsqxVXb4g3bLS+46Ydqefwdj64CO1w2N/zgV0kpxVaGgtStSymeXj2ZxnhBaUhWsNTMN9KsDtr/1/LRg==-----END CERTIFICATE-----

    Patched i-MSCP 1.5.4 on Debian Stretch | Apache 2.4.52 | Nginx 1.21.4 | OpenSSL 1.1.1 | php 7.0 - 8.1 | Dovecot 2.3.17.1 | Bind 9.16.25 | Postfix 3.1.15 | MariaDB 10.1.48 | ProFTPD 1.3.5b | Rspamd 2.7 | ClamAV 0.103.4 | Roundcube 1.5.2 | CrowdSec 1.3.0