End point issues after restarting

sulemmuh · July 5, 2024, 6:17pm

We are doing some testing to get an old, obscure, non-http server using acme against the InCommon endpoints and have run into something we don't understand. We are using the https://acme.sectigo.com/v2/InCommonRSAOV endpoint and have it setup and working with the standard acme clients. For this case, we are able to request the certificate and install it, but the server did not like the certificate when restarted. A little digging and we determined the issued certificate was using ECC keys and only RSA keys are supported by this server. The acme client we are using defaults to ECC unless RSA is explicitly requested. When we configured the acme client to use RSA, we got an RSA certificate and the server is happy.

So, my confusion is around the endpoint name/URL.
Should the https://acme.sectigo.com/v2/InCommonRSAOV endpoint be issuing ECC certificates?
If yes, then what is the difference between that and the https://acme.sectigo.com/v2/InCommonECCOV endpoint?
Is there something I, as a DRAO, can look at to understand this better?

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

petercooperjr · July 5, 2024, 6:21pm

I think you need to ask Sectigo those questions. This is primarily a Let's Encrypt CA support forum. While people here can generally help with ACME usage of clients, I don't think anyone here will be able to tell you the difference between Sectigo's endpoints.

sulemmuh · July 5, 2024, 6:22pm

thank you.

mcpherrinm · July 5, 2024, 6:23pm

You should contact Sectigo support for help with their specific endpoints.

I don't immediately see any public documentation explaining the behaviour of their different directory URLs.

However, I have a hunch as what's going on here:

Your ACME clients chooses what key type it uses, which the server needs to support.

That's different from what key and signature the CA puts on the certificate. Let's Encrypt matches them (so an elliptic key end-entity key will be signed with an elliptic key signature from our intermediate), but there's no particular requirement for that behaviour.

I'd guess Sectigo is using the different directory URLs to control what the server signs with. So to get a fully-RSA chain, you'll want to both instruct your ACME client to use RSA, as well as use the RSAOV directory URL.

system · August 4, 2024, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Specify Certificate Type (w/ ACME & Certbot) Help	36	2125	August 21, 2022
Renew error The key authorization file from the server did not match this challenge Help	5	1607	September 21, 2017
TLS-SNI validation reaching end of life Help	4	803	February 18, 2019
I need the acme.sh cron job for renewals to create pem files Help	14	1328	March 20, 2024
Multi-credential issues Help	7	1088	August 2, 2021

End point issues after restarting

Related topics