Acme.sh: distinguish ECC key based certificates from RSA certificates

This is a problem.

but you can define different working dir, for example:

1) install

export  LE_WORKING_DIR=~/.le-ecc
./le.sh  install

2) issue cert

export  LE_WORKING_DIR=~/.le-ecc
le.sh   issue .............

3) The crontab can handle different working dir automatically.

yes, that's how I am testing it currently.

but having two sets of files, scripts, accounts and crontab does not feel right, especially as you can use the same account conf/key for both RSA and ECC domain key certificates. the main domain directory name is really the only thing that prevents using both RSA and ECC key domains within the same setup...

+1 to support multiple cert types from a single account.

I tried setting up the separate working dir workaround but got the error:
Sign failed: "detail":"Error creating new cert :: Invalid signature algorithm in CSR"

I used openssl to verify the CSR and did not see any issues.
I don't know if it's relevant, but I'm attempting validation using manual DNS validation.

definitely needed for nginx 1.11.0 and dual rsa + ecdsa support

@Neilpang was thinking about this some more, is it possible just to create a copy of acme.sh and change it's default LE_WORKING_DIR to a separate path i.e. acme-ecc.sh and use it to issue ecc certs and use acme.sh original to issue rsa certs ?

@centminmod

Yes, That is a solution.
We have 2 options can do that: --home or --certhome

1. Using --home

#install to a dsa copy to a separate home.
./acme.sh  --install   --home /root/dsahome

#issue dsa cert:

acme.sh  --issue  --home /root/dsahome  .......

1. Or , you can also use the same installation, but with a different certhome:

acme.sh  --issue  --certhome  /root/mydsacerts  ......

@Neilpang thanks

sweet certhome is perfect !

@centminmod

Each time your call any command: --issue or --renew, you must give the new dsa certhome for dsa certs.

@centminmod

You may need to add a new cronjob to renew dsa certs like:

0 1 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh"  --certhome "/root/mydsacerts"  > /dev/null

cheers make senses and perfect for scripted automation :)

@centminmod

I was planing to support both RSA and DSA certs in the same dir.

So, please subscribe to this issue, I will update this issue then.

Thanks.

thanks for heads up :)

hoping here's been developments for dual certs ? will be rolling out my implementation acmetool.sh which relies on your wonderful acme.sh client https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/ :)

@centminmod
priority +1

@centminmod

It's fixed.

All the existing certs will not affected.

The new issued ECC certs will have a suffix in the domain folder: _ecc

~/.acme.sh/domain.com_ecc/

sweet thanks @Neilpang :)

@centminmod

For the following commands: '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'

you must specify --ecc param for ECC certs.

For example,

If you just issued a new Ecc cert in domain folder: ~/.acme.sh/domain.com_ecc/

Renew it like:

acme.sh --renew -d domain.com   --ecc

oh so more changes ! thanks for heads up

@centminmod

Yes, It's a big change.

We need to keep compatiable to all the existing certs(rsa and ecc).

So what happens if you reissue via the same command you used to create the original ECDSA cert ?

if you issued with

acme.sh --staging --issue -d newdomain10.com -w /home/nginx/domains/newdomain10.com/public -k ec-256

then come renewal time (within the renewal allowed time) you ran the same command

acme.sh --staging --issue -d newdomain10.com -w /home/nginx/domains/newdomain10.com/public -k ec-256

that should work too i suppose as long as next step for installcert uses --ecc flag right ?

@centminmod

If you call --issue command, and the cert type is ecc cert, it will be in the new domain folder with suffix.

However, if you call --renew or --renewall or --cron, to renew it, it will be just renewed in the old domain folder.

understood :)

@centminmod
Nothing should be broken.

Let me know if you found bug.

I'm still updating the testing project.

cheers just updated my acmetool.sh wrapper for acme.sh https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/ so will test it out :)

@centminmod
Good

works on LE staging tests so far https://community.centminmod.com/posts/34608/ :)

acmetool.sh wrapper for acme.sh run output for ec-256 keylength

issue & install letsencrypt ssl certificate for acme1.domain.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue -d acme1.domain.com -w /home/nginx/domains/acme1.domain.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot
[Sat Aug 13 14:22:15 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Sat Aug 13 14:22:18 UTC 2016] Registering account
[Sat Aug 13 14:22:24 UTC 2016] Already registered
[Sat Aug 13 14:22:24 UTC 2016] Creating domain key
[Sat Aug 13 14:22:24 UTC 2016] Use length 256
[Sat Aug 13 14:22:24 UTC 2016] Using ec name: prime256v1
[Sat Aug 13 14:22:24 UTC 2016] Single domain='acme1.domain.com'
[Sat Aug 13 14:22:24 UTC 2016] Verify each domain
[Sat Aug 13 14:22:24 UTC 2016] Getting webroot for domain='acme1.domain.com'
[Sat Aug 13 14:22:24 UTC 2016] Getting token for domain='acme1.domain.com'
[Sat Aug 13 14:22:34 UTC 2016] Verifying:acme1.domain.com
[Sat Aug 13 14:22:47 UTC 2016] Success
[Sat Aug 13 14:22:48 UTC 2016] Verify finished, start to sign.
[Sat Aug 13 14:22:55 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIEIjCCAwqgAwIBAgITAPoxK7At7f4sb2dl2qzAE13HDjANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA4MTMx
MzIzMDBaFw0xNjExMTExMzIzMDBaMB8xHTAbBgNVBAMTFGFjbWUxLmNlbnRtaW5t
b2QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEssNPpigSCt9yKmytSTgl
DsudCpSEs7as/p85Nu2Casffr4fgcvbt20atFgdjqdB4JOAtpL1lsuxeGcr4WG4V
rqOCAh0wggIZMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUczFrFpQ9dyDbmXjMiU6l
hW74biEwHwYDVR0jBBgwFoAUwMwDRrlYIMxccnDz4S7LIKb1aDoweAYIKwYBBQUH
AQEEbDBqMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zdGctaW50LXgxLmxldHNl
bmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEu
bGV0c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWghRhY21lMS5jZW50bWlubW9kLmNv
bTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQDIgMsNYblYiGP8
phRlZp4Qn5XFNaUKOFDdVXNp6CclQ5CbqmvqLdroJ763cj4r9Tq7cmDTfoz7JwPo
wvcvWiSFMFVoJHNT54pHVyhiGSpp90erF43hnFJf/vFN2cvf2jehHCUShKeAcqdG
xXjQySsJOps+aw6rbVRx3rcLV5OJniC71bZ0hZX0V1SkIHuLgsWXpsE3iEzkc4X8
TbYDEhkfaHKXAbFQi3GJwS0tsFzH+0+WGyPowBEKL0k2792LuA3TteLUuYUMVOKf
5Fap+RXm4z7AGtE6Vrw15g3RZ21yxP1p8BTKR6NjBh1fPCUVhSEDPFYyIpGBcPPH
eF3Y6mf/
-----END CERTIFICATE-----
[Sat Aug 13 14:22:55 UTC 2016] Your cert is in /root/.acme.sh/acme1.domain.com_ecc/acme1.domain.com.cer
[Sat Aug 13 14:22:57 UTC 2016] The intermediate CA cert is in /root/.acme.sh/acme1.domain.com_ecc/ca.cer
[Sat Aug 13 14:22:57 UTC 2016] And the full chain certs is there: /root/.acme.sh/acme1.domain.com_ecc/fullchain.cer
  ssl_certificate      /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer; 

-----------------------------------------------------------
install cert
-----------------------------------------------------------
/root/.acme.sh/acme.sh --installcert -d acme1.domain.com --certpath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer --keypath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key --capath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-fullchain-acme-ecc.key --ecc
[Sat Aug 13 14:22:57 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer
[Sat Aug 13 14:22:57 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.cer
[Sat Aug 13 14:22:57 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-acme-ecc.key
[Sat Aug 13 14:22:57 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/acme1.domain.com/acme1.domain.com-fullchain-acme-ecc.key
[Sat Aug 13 14:22:57 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl):  [  OK  ]
[Sat Aug 13 14:22:58 UTC 2016] Reload success

letsencrypt ssl certificate setup completed

-------------------------------------------------------------


-------------------------------------------------------------
FTP hostname : IPADDR
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for acme1.domain.com : ftpusername
FTP password created for acme1.domain.com : ***
-------------------------------------------------------------
vhost for acme1.domain.com created successfully

domain: http://acme1.domain.com
vhost conf file for acme1.domain.com created: /usr/local/nginx/conf/conf.d/acme1.domain.com.conf

vhost ssl for acme1.domain.com created successfully

domain: https://acme1.domain.com
vhost ssl conf file for acme1.domain.com created: /usr/local/nginx/conf/conf.d/acme1.domain.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created

@centminmod

Cool.