Configure key type to use when creating ACME account (for using Buypass)

bohan · August 14, 2020, 2:01am

Maybe many people know that besides Let’s Encrypt, there’s another CA provides free SSL certificates with ACME: Buypass GO

I’ve tried to configure caddy to use it (Buypass requires an email address):

tls youthdna@live.com {
    ca https://api.test4.buypass.no/acme/directory
}

However, I got this error:

Aug 14 01:51:31 server caddy[1169]: 2020/08/14 01:51:31 [ERROR] Making new ACME client: acme: error: 0 :: POST :: https://api.test4.buypass.no/acme-v02/new-acct :: urn:ietf:params:acme:error:badSignatureAlgorithm :: Signature type in JWS header is not supported, url:  (attempt 1/2)

According to my find, caddy uses EC secp384r1 key to create ACME account:

openssl ec -text -noout -in /var/lib/caddy/.local/share/caddy/acme/acme-staging-v02.api.letsencrypt.org-directory/users/default/default.key

read EC key
Private-Key: (384 bit)
priv:
    17:f3:31:9b:71:54:35:39:08:a4:08:f5:f1:04:20:
    8a:96:db:70:08:b0:5d:b1:4e:6f:52:1f:00:85:c0:
    c6:e3:37:56:75:d5:ae:35:fc:36:fe:35:45:d0:59:
    5d:00:aa
pub:
    04:13:5c:68:49:16:4d:80:5d:dc:68:9b:df:9f:1e:
    99:a5:13:4f:b3:46:81:bf:57:39:58:97:cb:5f:82:
    26:20:68:28:63:8c:ef:20:05:f9:b6:6e:7c:0e:df:
    d4:2b:9d:08:90:5d:b6:06:5b:e6:01:46:23:59:9a:
    4c:29:3d:61:9e:8a:94:12:f3:30:ce:0c:8f:9a:9d:
    79:54:58:2e:34:40:21:ff:51:10:b4:a5:dc:86:66:
    b3:94:9c:01:f0:e9:76
ASN1 OID: secp384r1
NIST CURVE: P-384

Buypass definitely support RSA 2048 & 4096, and possibly P-256, but not P-384.

(I understand the difference between ACME account private key and SSL certificate private key, but you got the idea)

So, how can I configure key type to use when creating ACME account in caddy?

francislavoie · August 14, 2020, 3:09am

@matt just tweeted about this yesterday:

You may need to use the key_type global option here:

bohan · August 14, 2020, 6:02am

Sorry, I’ve tried this but the error still occurs.

{
    acme_ca https://api.buypass.com/acme/directory
    email youthdna@live.com
    key_type rsa2048
}

Aug 14 05:52:20 server caddy[1077]: 2020/08/14 05:52:20 [INFO] acme: Registering account for youthdna@live.com
Aug 14 05:52:20 server caddy[1077]: 2020/08/14 05:52:20 [ERROR] Making new ACME client: acme: error: 0 :: POST :: https://api.buypass.com/acme-v02/new-acct :: urn:ietf:params:acme:error:badSignatureAlgorithm :: Signature type in JWS header is not supported, url:  (attempt 1/2)
Aug 14 05:52:22 server caddy[1077]: 2020/08/14 05:52:22 [INFO] acme: Registering account for youthdna@live.com
Aug 14 05:52:38 server caddy[1077]: 2020/08/14 05:52:38 [ERROR] Making new ACME client: Post "https://api.buypass.com/acme-v02/new-acct": net/http: timeout awaiting response headers (attempt 2/2)
Aug 14 05:52:38 server caddy[1077]: 2020/08/14 05:52:38 [ERROR] attempt 1: [can.bohan.co] Obtain: Post "https://api.buypass.com/acme-v02/new-acct": net/http: timeout awaiting response headers - retrying in 1m0s (21.401174137s/720h0m0s elapsed)...
Aug 14 05:53:38 server caddy[1077]: 2020/08/14 05:53:38 [INFO] acme: Registering account for youthdna@live.com
Aug 14 05:53:40 server caddy[1077]: 2020/08/14 05:53:40 [ERROR] Making new ACME client: acme: error: 0 :: POST :: https://api.buypass.com/acme-v02/new-acct :: urn:ietf:params:acme:error:badSignatureAlgorithm :: Signature type in JWS header is not supported, url:  (attempt 1/2)
Aug 14 05:53:42 server caddy[1077]: 2020/08/14 05:53:42 [INFO] acme: Registering account for youthdna@live.com
Aug 14 05:53:43 server caddy[1077]: 2020/08/14 05:53:43 [ERROR] Making new ACME client: acme: error: 0 :: POST :: https://api.buypass.com/acme-v02/new-acct :: urn:ietf:params:acme:error:badSignatureAlgorithm :: Signature type in JWS header is not supported, url:  (attempt 2/2)
Aug 14 05:53:43 server caddy[1077]: 2020/08/14 05:53:43 [ERROR] attempt 2: [can.bohan.co] Obtain: acme: error: 0 :: POST :: https://api.buypass.com/acme-v02/new-acct :: urn:ietf:params:acme:error:badSignatureAlgorithm :: Signature type in JWS header is not supported, url:  - retrying in 2m0s (1m27.324504324s/720h0m0s elapsed)...

The key_type configures the key algo for the SSL certificate (and CSR to be generated) but not the key for registering the ACME account and signing the JWS message.

All ACME requests with a non-empty body MUST encapsulate their payload in a JSON Web Signature (JWS) [RFC7515] object, signed using the account’s private key unless otherwise specified.

An ACME server MUST implement the “ES256” signature algorithm [RFC7518] and SHOULD implement the “EdDSA” signature algorithm using the “Ed25519” variant (indicated by “crv”) [RFC8037].

ES256 stands for ECDSA using P-256 and SHA-256.
Maybe caddy is default to ES384…

I’m using v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

matt · August 31, 2020, 1:42am

Make sure you’re using the latest from source, it defaults to P-256: certmagic/account.go at 09acc6bf59fafc220fd444667851de44e55c1419 · caddyserver/certmagic · GitHub

Should be released this week, maaaybe next.

system · September 13, 2020, 2:01am

This topic was automatically closed after 30 days. New replies are no longer allowed.