Letsencrypt ECDSA certificates

    • patched
  • mrpink
  • Closed
  • Thread is marked as Resolved.

    Hm isn't it a comment which can be removed? I think with openssl -inform it should be possible

    @mrpink


    Well, assuming that we will only accept traditional encrypted EC format


    Something like


    Perl
    1. my $keyType = execute('openssl x509 -in certificate.pem -text -noout |grep -q ecds', \my $stdout, my $stderr) == 0 ? 'ec' : 'rsa';


    should be ok

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Or better


    Code
    1. root@wheezy:~# openssl asn1parse -i -in private.key
    2. 0:d=0 hl=2 l= 119 cons: SEQUENCE
    3. 2:d=1 hl=2 l= 1 prim: INTEGER :01
    4. 5:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:B8EA11CDD06A6DBA9F160ECA4A97FA4C4E8A7E0CE4E44EAE100C3B9810284413
    5. 39:d=1 hl=2 l= 10 cons: cont [ 0 ]
    6. 41:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
    7. 51:d=1 hl=2 l= 68 cons: cont [ 1 ]
    8. 53:d=2 hl=2 l= 66 prim: BIT STRING


    On the key directly

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    finally, generic command which should work for both format is:


    Code
    1. openssl pkey -in private.key -pubout

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin

    finally, generic command which should work for both format is:


    Code
    1. openssl pkey -in private.key -pubout

    But how do you distinguish between ECDSA and RSA with this command?
    The only difference is the length of the key.

    @mrpink


    Can you give a try:


    In the file engine/PerlLib/iMSCP/OpenSSL.pm (in the validatePrivateKey subroutine) Replace:


    Perl
    1. my @cmd = ( 'openssl rsa', '-in', escapeShell( $self->{'private_key_container_path'} ), '-noout', $passphraseFile ? ('-passin', escapeShell( "file:$passphraseFile" )) : '');

    by


    Quote from mrpink

    The only difference is the length of the key.

    Perl
    1. my @cmd = ( 'openssl pkey', '-in', escapeShell( $self->{'private_key_container_path'} ), '-noout', $passphraseFile ? ('-passin', escapeShell( "file:$passphraseFile" )) : '');

    Once done, try again to add your cert through GUI.Thank for testing.



    Edit:


    @mrpink


    Quote from mrpink

    The only difference is the length of the key.


    No, the used curve is also part of the key.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @mrpink


    Forgot other line that you must also change so wait. Better is the commit which will comes in two minutes ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    First test automated with the bash script I get this error after imscp-rqst-mngr


    Code
    1. [ERROR] iMSCP::OpenSSL::importPrivateKey: Could not import SSL private key: 140545780872848:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:288:
    Quote from Nuxwin

    Forgot other line that you must also change so wait. Better is the commit which will come in two minutes

    Ok, then I'll wait.

    Yeah


    Just wait my commit. I forgot to give you another line to change ;) The commit comes now.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support