Boulder: Staging server: ECDSA curve P-384 not allowed

Created on 6 Jul 2016  路  4Comments  路  Source: letsencrypt/boulder

A report in the community forum indicates that the staging server is no longer issuing certificates with the P-384 or P-256 curves while production continues to do so.

A cursory examination of the configuration in staging shows both algorithms in the allowedSigningAlgos configuration stanza indicating this is perhaps a bug introduced with the recent refactoring work (not yet confirmed).

areca arewfe kinbug layeapi

Most helpful comment

If you have access to the logs this may shed some light:

logger.Info(fmt.Sprintf("WFE using key policy: %#v", c.KeyPolicy()))

I did refactor this, so this may be a bug.

All 4 comments

If you have access to the logs this may shed some light:

logger.Info(fmt.Sprintf("WFE using key policy: %#v", c.KeyPolicy()))

I did refactor this, so this may be a bug.

Thanks for the tip @benileo - confirmed this is a bug:

WFE using key policy: goodkey.KeyPolicy{AllowRSA:true, AllowECDSANISTP256:false, AllowECDSANISTP384:false, AllowECDSANISTP521:false}

As a note for the history books, while @benileo landed an integration test in certbot that _should_ have surfaced this bug, we are currently using a fixed release of certbot in our integration tests that doesn't have the ECDSA integration merged. We should update test.sh to use a git commit hash that includes this test.

I believe this issue has been resolved and this can be closed.

Was this page helpful?
0 / 5 - 0 ratings