Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate request - error :: "Error":"issuing precertificate: no issuers found for public key algorithm RSA - message in the LabCA logs #150

Closed
einsammerlurch opened this issue Dec 27, 2024 · 6 comments
Closed

Certificate request - error :: "Error":"issuing precertificate: no issuers found for public key algorithm RSA - message in the LabCA logs #150

einsammerlurch opened this issue Dec 27, 2024 · 6 comments
Assignees
@hakwerk

Comments

@einsammerlurch
Copy link

Hi,

I have found a problem in the current version v24.12 of LabCA which I cannot solve. It is not possible to issue or renew certificates. I have also installed a new current version as I suspected an update problem. I have verified my test with an existing installation and a new installation of Proxmox 8.2

# pvenode acme cert order
Loading ACME account details
Placing ACME order
Order URL: https://pki.fritz.box/acme/order/9/102

Getting authorization details from 'https://pki.fritz.box/acme/authz/9/38'
pve-03.fritz.box is already validated!

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order

Error: POST to https://pki.fritz.box/acme/finalize/9/102 {   "type": "urn:ietf:params:acme:error:serverInternal",   "detail": "Error finalizing order",   "status": 500 }
Task Error: POST to https://pki.fritz.box/acme/finalize/9/102 {   "type": "urn:ietf:params:acme:error:serverInternal",   "detail": "Error finalizing order",   "status": 500 }

boulder-1  | 2024-12-27T16:30:23.361459+00:00Z boulder-va[765]: 6 boulder-va 7aSygQs [AUDIT] Checked CAA records for pve-03.fritz.box, [Present: false, Account ID: 9, Challenge: http-01, Valid for issuance: true, Found at: ""] Response=""
boulder-1  | 2024-12-27T16:30:23.361706+00:00Z boulder-va[765]: 6 boulder-va 9I3DlQs [AUDIT] CAA check result JSON={"AuthzID":"","Requester":9,"Identifier":"pve-03.fritz.box","Challenge":{"type":""},"Latency":0.02}
boulder-1  | 2024-12-27T16:30:23.362045+00:00Z boulder-ra[801]: 6 boulder-ra rY2w1AQ FinalizationCaaCheck JSON={"Requester":9,"Rechecked":1}
boulder-1  | 2024-12-27T16:30:23.385130+00:00Z boulder-ra[801]: 6 boulder-ra qfuP5AY [AUDIT] Certificate request - error JSON={"ID":"S_L6TP7fRh7DPx4yd8tCV-bmzsVrOKKfNMUlg5jqDUI","Requester":9,"OrderID":102,"VerifiedFields":["subject.commonName","subjectAltName"],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","RequestTime":"2024-12-27T16:30:23.323505314Z","ResponseTime":"2024-12-27T16:30:23.385080043Z","Error":"issuing precertificate: no issuers found for public key algorithm RSA","Authorizations":{"pve-03.fritz.box":{"ID":"38","ChallengeType":"http-01"}}}
boulder-1  | 2024-12-27T16:35:01.425124+00:00Z boulder-wfe2[833]: 6 boulder-wfe2 sNKy1wg time=2024-12-27T16:35:01.425036289Z
boulder-1  | 2024-12-27T16:38:19.799109+00:00Z boulder-wfe2[833]: 6 boulder-wfe2 55a2sgs time=2024-12-27T16:38:19.799048405Z
boulder-1  | 2024-12-27T16:54:22.965204+00:00Z boulder-ca[696]: 6 boulder-ca 5pr4jgY [AUDIT] OCSP signed: 7f426d0f07c068f9affff9d578eac02b20b9:_,

boulder-1  | 2024-12-27T16:30:23.361459+00:00Z boulder-va[765]: 6 boulder-va 7aSygQs [AUDIT] Checked CAA records for pve-03.fritz.box, [Present: false, Account ID: 9, Challenge: http-01, Valid for issuance: true, Found at: ""] Response=""
boulder-1  | 2024-12-27T16:30:23.361706+00:00Z boulder-va[765]: 6 boulder-va 9I3DlQs [AUDIT] CAA check result JSON={"AuthzID":"","Requester":9,"Identifier":"pve-03.fritz.box","Challenge":{"type":""},"Latency":0.02}
boulder-1  | 2024-12-27T16:30:23.385130+00:00Z boulder-ra[801]: 6 boulder-ra qfuP5AY [AUDIT] Certificate request - error JSON={"ID":"S_L6TP7fRh7DPx4yd8tCV-bmzsVrOKKfNMUlg5jqDUI","Requester":9,"OrderID":102,"VerifiedFields":["subject.commonName","subjectAltName"],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","RequestTime":"2024-12-27T16:30:23.323505314Z","ResponseTime":"2024-12-27T16:30:23.385080043Z","Error":"issuing precertificate: no issuers found for public key algorithm RSA","Authorizations":{"pve-03.fritz.box":{"ID":"38","ChallengeType":"http-01"}}}
boulder-1  | 2024-12-27T16:54:22.965204+00:00Z boulder-ca[696]: 6 boulder-ca 5pr4jgY [AUDIT] OCSP signed: 7f426d0f07c068f9affff9d578eac02b20b9:_,

In older versions of LabCA it worked without any problems

Best regards
Tom
@hakwerk
Copy link
Owner

hakwerk commented Dec 29, 2024

Looks like your issuer certificate is of type ECDSA and the Fritzbox is trying to request an RSA certificate. The boulder engine now only issues for matching key types, so if the issuer is ECDSA it will only work for certificate requests with an ECDSA key.

The solution would be to also have an RSA issuer as well, but at the moment it is not possible to have more than one issuer CA in LabCA unfortunately. I'm looking into changing that, but that conflicts with / depends on some other big changes I'm trying to make in the background.
I'll have another look if I can come up with an easy interim fix to have at least two issuers and/or generate both RSA and ECDSA issuers during setup.

@hakwerk hakwerk self-assigned this Dec 29, 2024
@MassiPi
Copy link

MassiPi commented Jan 10, 2025

so is it being random to be able to issue RSA or ECDSA keys?
i'm in the other situation, i'm unable to issue ECDSA keys and i cant force acme.sh to ask for a RSA key, not an easy solution :)
thanks

@hakwerk
Copy link
Owner

hakwerk commented Jan 12, 2025

When going through the LabCA setup pages, you are creating either an RSA CA or an ECDSA CA. If you then have clients that request the other key type, it won't work at the moment.
So apparently you created an RSA root + issuer in LabCA.

hakwerk added a commit that referenced this issue Jan 12, 2025
@hakwerk
Temporarily issue both ECDSA and RSA from same issuer (#138 #144 #150)
2cb4d79 
The official Let's Encrypt boulder code only issues RSA certificates
from RSA issuer certificates and only ECDSA certificates from an ECDSA
issuer CA. Many people are having issues with this in LabCA.

Until we have the option for multiple issuers per root CA and/or
multiple CA chains in the GUI of LabCA, use the single issuer CA for
both key types.
@hakwerk
Copy link
Owner

hakwerk commented Jan 12, 2025

This should now be fixed in the latest release (v25.01), ECDSA and RSA now can be mixed

@einsammerlurch
Copy link
Author

wow, wonderful!

Now the issuing of certificates works again.
For future installations, which is the more secure / recommended option? A root CA with RSA or ECDAS?

Thanks for your great work!

@MassiPi
Copy link

MassiPi commented Jan 12, 2025

This should now be fixed in the latest release (v25.01), ECDSA and RSA now can be mixed

thanks!
Just wondering: what do you mean with "Temporarily issue both ECDSA and RSA from same issuer (#138 #144 #150)"? "Temporarily"? i assumed this is a feature can be useful in general, isn't it?

and i was also wondering how to update from web interface (i did it via cli, but the readme says it can be done also via web interface, but i just got the message of a new update available..)

Thanks, very good work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hakwerk hakwerk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MassiPi @hakwerk @einsammerlurch