I’m trying to avoid prime256v1 in favor of X25519 and getting nowhere fast. It’s running OpenSSL 1.1.x and nginx is compiled against that, openssl ecparam -list_curves shows nothing in 25519, but it does appear in openssl list -public-key-algorithms (which apparently is normal). Which means openssl ecparam doesn’t like being told to use X25519.
So first question would be how to generate an X25519-capable cert.
The second question applies to every single time I’ve tried to manually generate a letsencrypt cert. While this server does have two standard auto-generated certs, this one cert I’m trying to generate is for literally for only one subdomain, and no matter which guide I follow I wind up with
Unfortunately, your CSR needs to have a SubjectAltName for every domain
I’ve tried using [SAN} and not using [SAN] in openssl.cnf with the
added just below it, and that doesn’t make any difference at all. There were several other methods with the same lack of result.
This is Ubuntu 16.04.2LTS, I’ve tried both OpenSSL 1.1.1-dev and OpenSSL 1.1.0d, no difference, and nginx 1.11.9 using ssl_ecdh_curve ‘X25519:secp521r1:secp384r1’ which passes configtest.