key too small: 240 #3402

falconsapsan · 2021-02-10T18:26:28Z

Steps to reproduce

i want issue new certificate for my domain

./acme.sh --issue -d site.pro -d www.site.pro -w /var/www/site.pro/ --keylength ec-256

every time a has error "key too small: 240"

i tryed all variants values of keylength - the result is the same

Debug log


[Wed Feb 10 18:11:34 UTC 2021] Already uptodate!
[Wed Feb 10 18:11:34 UTC 2021] Upgrade success!
~/.acme.sh # ./acme.sh --issue -d site.pro -d www.site.pro -w /var/www/site.pro/ --keylength ec-256 --debug 2
[Wed Feb 10 18:13:17 UTC 2021] Lets find script dir.
[Wed Feb 10 18:13:17 UTC 2021] _SCRIPT_='./acme.sh'
[Wed Feb 10 18:13:17 UTC 2021] _script='/root/.acme.sh/acme.sh'
[Wed Feb 10 18:13:17 UTC 2021] _script_home='/root/.acme.sh'
[Wed Feb 10 18:13:17 UTC 2021] Using default home:/root/.acme.sh
[Wed Feb 10 18:13:17 UTC 2021] Using config home:/root/.acme.sh
[Wed Feb 10 18:13:17 UTC 2021] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v2.8.9
[Wed Feb 10 18:13:17 UTC 2021] Running cmd: issue
[Wed Feb 10 18:13:17 UTC 2021] _main_domain='site.pro'
[Wed Feb 10 18:13:17 UTC 2021] _alt_domains='www.site.pro'
[Wed Feb 10 18:13:17 UTC 2021] Using config home:/root/.acme.sh
[Wed Feb 10 18:13:17 UTC 2021] default_acme_server
[Wed Feb 10 18:13:17 UTC 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Feb 10 18:13:17 UTC 2021] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Wed Feb 10 18:13:17 UTC 2021] DOMAIN_PATH='/root/.acme.sh/site.pro_ecc'
[Wed Feb 10 18:13:17 UTC 2021] '/var/www/site.pro/' does not contain 'dns'
[Wed Feb 10 18:13:17 UTC 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Feb 10 18:13:17 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Feb 10 18:13:17 UTC 2021] GET
[Wed Feb 10 18:13:17 UTC 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Feb 10 18:13:17 UTC 2021] timeout=
[Wed Feb 10 18:13:17 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.KFgmGK '
[Wed Feb 10 18:13:18 UTC 2021] ret='0'
[Wed Feb 10 18:13:18 UTC 2021] response='{
  "WVBlkCNoeuk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Wed Feb 10 18:13:18 UTC 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Feb 10 18:13:18 UTC 2021] ACME_NEW_AUTHZ
[Wed Feb 10 18:13:18 UTC 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Feb 10 18:13:18 UTC 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Feb 10 18:13:18 UTC 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Feb 10 18:13:18 UTC 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Feb 10 18:13:18 UTC 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Feb 10 18:13:18 UTC 2021] ACME_VERSION='2'
[Wed Feb 10 18:13:18 UTC 2021] Le_NextRenewTime
[Wed Feb 10 18:13:18 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Feb 10 18:13:18 UTC 2021] _on_before_issue
[Wed Feb 10 18:13:18 UTC 2021] _chk_main_domain='site.pro'
[Wed Feb 10 18:13:18 UTC 2021] _chk_alt_domains='www.site.pro'
[Wed Feb 10 18:13:18 UTC 2021] '/var/www/site.pro/' does not contain 'no'
[Wed Feb 10 18:13:18 UTC 2021] Le_LocalAddress
[Wed Feb 10 18:13:18 UTC 2021] d='site.pro'
[Wed Feb 10 18:13:18 UTC 2021] Check for domain='site.pro'
[Wed Feb 10 18:13:18 UTC 2021] _currentRoot='/var/www/site.pro/'
[Wed Feb 10 18:13:18 UTC 2021] d='www.site.pro'
[Wed Feb 10 18:13:18 UTC 2021] Check for domain='www.site.pro'
[Wed Feb 10 18:13:18 UTC 2021] _currentRoot='/var/www/site.pro/'
[Wed Feb 10 18:13:18 UTC 2021] d
[Wed Feb 10 18:13:18 UTC 2021] '/var/www/site.pro/' does not contain 'apache'
[Wed Feb 10 18:13:18 UTC 2021] config file is empty, can not read CA_KEY_HASH
[Wed Feb 10 18:13:18 UTC 2021] _saved_account_key_hash
[Wed Feb 10 18:13:18 UTC 2021] Using config home:/root/.acme.sh
[Wed Feb 10 18:13:18 UTC 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Feb 10 18:13:18 UTC 2021] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Wed Feb 10 18:13:18 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Feb 10 18:13:18 UTC 2021] RSA key
[Wed Feb 10 18:13:18 UTC 2021] config file is empty, can not read CA_EAB_KEY_ID
[Wed Feb 10 18:13:18 UTC 2021] config file is empty, can not read CA_EAB_HMAC_KEY
[Wed Feb 10 18:13:18 UTC 2021] config file is empty, can not read CA_EMAIL
[Wed Feb 10 18:13:18 UTC 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Wed Feb 10 18:13:18 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Feb 10 18:13:18 UTC 2021] payload='{"termsOfServiceAgreed": true}'
[Wed Feb 10 18:13:18 UTC 2021] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key
[Wed Feb 10 18:13:18 UTC 2021] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Feb 10 18:13:18 UTC 2021] HEAD
[Wed Feb 10 18:13:18 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Feb 10 18:13:18 UTC 2021] body
[Wed Feb 10 18:13:18 UTC 2021] _postContentType='application/jose+json'
[Wed Feb 10 18:13:18 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.DIECia  -I  '
[Wed Feb 10 18:13:18 UTC 2021] _ret='0'
[Wed Feb 10 18:13:18 UTC 2021] _headers='HTTP/2 200
server: nginx
date: Wed, 10 Feb 2021 18:13:18 GMT
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0103VaRyI4RXTXH5S2okYUSv9lg7w0YD30ikqaHKN8iUhZg
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Wed Feb 10 18:13:18 UTC 2021] _CACHED_NONCE='0103VaRyI4RXTXH5S2okYUSv9lg7w0YD30ikqaHKN8iUhZg'
[Wed Feb 10 18:13:18 UTC 2021] nonce='0103VaRyI4RXTXH5S2okYUSv9lg7w0YD30ikqaHKN8iUhZg'
[Wed Feb 10 18:13:18 UTC 2021] POST
[Wed Feb 10 18:13:18 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Feb 10 18:13:18 UTC 2021] body='{"protected": "eyJub25jZSI6ICIwMTAzVmFSeUk0UlhUWEg1UzJva1lVU3Y5bGc3dzBZRDMwaWtxYUhLTjhpVWhaZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QiLCAiYWxnIjogIlJTMjU2IiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ4eDV0X3JlY0dmWllKYlBqT2R4NEdkRlhleGZ1bUJiSHYzTDN5aFdnIn19", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "Y9XA1yY_cUtM__ZRVWJpgzwasVXLbN6f48aH7ZQfd581KwNXN4jZZZQGbChfPhQ4jzZO13eD8UL81jQa29P_2k64BCEVJh92yYAQxzdwHlJmMeCINg3VCXhyaVQq60qsuz1skIdOLnds8WqR3oGVGJVHU6F0T8Z0c5-q2rYy8JWy2okVoQ6dxX3wX3rtOtthykSA2OpvgkjKPgWG_SjyjD9pZWu5rc-toZq6nffDXai8BwjAPuFINJO-U4PC8DxmtMgTVZ03PqIr9A8ZO-PceHTQQCRSyOKjpgxO4wT8BRTXUgjtIjSkhOu1hrEDggcIRORyUaUozWAYScjhHu2Bdw"}'
[Wed Feb 10 18:13:18 UTC 2021] _postContentType='application/jose+json'
[Wed Feb 10 18:13:18 UTC 2021] Http already initialized.
[Wed Feb 10 18:13:18 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.DIECia '
[Wed Feb 10 18:13:19 UTC 2021] _ret='0'
[Wed Feb 10 18:13:19 UTC 2021] responseHeaders='HTTP/2 400
server: nginx
date: Wed, 10 Feb 2021 18:13:19 GMT
content-type: application/problem+json
content-length: 106
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0104Hm93s1e-gka_5log3F42O83fq2RWGPrJAcfW3iSCr20
'
[Wed Feb 10 18:13:19 UTC 2021] code='400'
[Wed Feb 10 18:13:19 UTC 2021] original='{
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key too small: 240",
  "status": 400
}'
[Wed Feb 10 18:13:19 UTC 2021] response='{
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key too small: 240",
  "status": 400
}'
[Wed Feb 10 18:13:19 UTC 2021] Register account Error: {
  "type": "urn:ietf:params:acme:error:badPublicKey",
  "detail": "key too small: 240",
  "status": 400
}
[Wed Feb 10 18:13:19 UTC 2021] _on_issue_err
[Wed Feb 10 18:13:19 UTC 2021] Please add '--debug' or '--log' to check more details.
[Wed Feb 10 18:13:19 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Wed Feb 10 18:13:19 UTC 2021] _chk_vlist
[Wed Feb 10 18:13:19 UTC 2021] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1i  8 Dec 2020
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1i  8 Dec 2020
TLS SNI support enabled
configure arguments: --prefix=/var/lib/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --lock-path=/run/nginx/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --add-dynamic-module=/home/buildozer/aports/main/nginx/src/njs-0.5.0/nginx --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_devel_kit-0.3.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/traffic-accounting-nginx-module-2.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/array-var-nginx-module-0.05/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_brotli-1.0.0rc/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_cache_purge-2.5.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx_cookie_flag_module-1.1.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-dav-ext-module-3.0.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/echo-nginx-module-0.62/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/encrypted-session-nginx-module-0.08/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx-fancyindex-0.5.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_http_geoip2_module-3.3/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/headers-more-nginx-module-0.33/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-log-zmq-1.0.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/lua-nginx-module-0.10.19/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/lua-upstream-nginx-module-0.07/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/naxsi-1.3/naxsi_src --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nchan-1.2.7/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/redis2-nginx-module-0.15/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/set-misc-nginx-module-0.32/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-http-shibboleth-2.0.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_http_untar_module-1.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-upload-progress-module-0.9.2/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-upstream-fair-0.1.3/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_upstream_jdomain-1.1.5/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-vod-module-1.27/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-module-vts-0.1.18/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/mod_zip-1.2.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-rtmp-module-1.2.1/
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.1 on Jan 14 2021 05:30:29
   running on Linux version #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021, release 5.4.0-65-generic, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

The text was updated successfully, but these errors were encountered:

Hiroko103 · 2021-02-23T18:00:38Z

I encountered the same error yesterday. I don't know yet what causes the issue exactly,
but I got it solved by installing 'xxd' tool, and then re-running the certificate creation command.

Hope it helps.

Hiroko103 · 2021-02-23T19:41:06Z

I found out what was causing the issue.
I'm running Alpine Linux so 'xxd' is installed on my system by default, but it's compiled into busybox.

The busybox's xxd binary's manual states the following (full output):

BusyBox v1.33.0 () multi-call binary.

Usage: xxd [-pr] [-g N] [-c N] [-n LEN] [-s OFS] [FILE]

Hex dump FILE (or stdin)
        -g N            Bytes per group
        -c N            Bytes per line
        -p              Show only hex bytes, assumes -c30
        -l LENGTH       Show only first LENGTH bytes
        -s OFFSET       Skip OFFSET bytes
        -r              Reverse (with -p, assumes no offsets in input)

(acme.sh uses the following command to convert HEX to binary: xxd -r -p)

The -p flag assumes -c30 option, and so the calculated HEX output will be broken into multiple lines.
This is the reason why the main script gets only part of the calculated HEX.

By installing 'xxd' separately, I could avoid busybox's version, and the installed one behaved as expected (not limiting a line to 30 bytes)

The installed xxd's manual (full output):

Usage:
       xxd [options] [infile [outfile]]
    or
       xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
    -a          toggle autoskip: A single '*' replaces nul-lines. Default off.
    -b          binary digit dump (incompatible with -ps,-i,-r). Default hex.
    -C          capitalize variable names in C include file style (-i).
    -c cols     format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
    -E          show characters in EBCDIC. Default ASCII.
    -e          little-endian dump (incompatible with -ps,-i,-r).
    -g          number of octets per group in normal output. Default 2 (-e: 4).
    -h          print this summary.
    -i          output in C include file style.
    -l len      stop after <len> octets.
    -o off      add <off> to the displayed file position.
    -ps         output in postscript plain hexdump style.
    -r          reverse operation: convert (or patch) hexdump into binary.
    -r -s off   revert with <off> added to file positions found in hexdump.
    -d          show offset in decimal instead of hex.
    -s [+][-]seek  start at <seek> bytes abs. (or +: rel.) infile offset.
    -u          use upper case hex letters.
    -v          show version: "xxd V1.10 27oct98 by Juergen Weigert".

Neilpang · 2021-02-24T13:42:47Z

@Hiroko103

Thanks for your info.
Can you please show me the input and the expected output of the busybox xxd command ?

Thanks.

Hiroko103 · 2021-02-24T17:08:31Z

As an example, I will use the following command:
./acme.sh --register-account --debug 3

In the output of the debug log, there are these lines:

[Wed Feb 24 17:40:06 CET 2021] Create account key ok.
[Wed Feb 24 17:40:06 CET 2021] RSA key
[Wed Feb 24 17:40:06 CET 2021] pub_exp='010001'
[Wed Feb 24 17:40:06 CET 2021] base64 single line.
[Wed Feb 24 17:40:06 CET 2021] xxd exists=0
[Wed Feb 24 17:40:06 CET 2021] e='AQAB'
[Wed Feb 24 17:40:06 CET 2021] modulus='D5CC8ACA2E8DE47F8E95EC390F51F2EDE227E85B01D79F3B13F4355692F2FB829B28D7E9872783C4F05A7A35B7FE3D3C72B6A23AA9E95240ADAECE5DBCB611384442A3436A9C2884ABBE4E2BCAF302C053367B3ADAACB545E9F5F4FB8FF1CDB52F99DF2D392EC9B087707B43D8999988752E245860FEB2D6C10F310E9D9D5AC35A4ADB2672C92286CBC6F4399F29D8207870AAA31D9CFFB3F5234F0B85A7BB005B6C45B6F72BD8FF809033A74657E4FD4C80FEBED64800768EC20B12AF1C4FC83BFFE87C4BA7A15218DB9EE377A0F5EB16CF4680CFAD2431A41B3B2ED3D1A1CFC8B60B1FB7DFBA5CEFFABF6E86B552C5028A053BBAADE440A3CC087D7073156D'
[Wed Feb 24 17:40:06 CET 2021] base64 single line.
[Wed Feb 24 17:40:06 CET 2021] xxd exists=0
[Wed Feb 24 17:40:06 CET 2021] n='1cyKyi6N5H-Olew5D1Hy7eIn6FsB1587E_Q1VpLy'
[Wed Feb 24 17:40:06 CET 2021] jwk='{"e": "AQAB", "kty": "RSA", "n": "1cyKyi6N5H-Olew5D1Hy7eIn6FsB1587E_Q1VpLy"}'
[Wed Feb 24 17:40:06 CET 2021] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "1cyKyi6N5H-Olew5D1Hy7eIn6FsB1587E_Q1VpLy"}}'

The input for the xxd is the 'modulus', and after some transformation (base64, url_encode), the result is placed into 'n' (1cyKyi6N5H-Olew5D1Hy7eIn6FsB1587E_Q1VpLy) which is visibly shorter than the input.

Relevant code lines:
https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L1616
which calls _h2b function that has the xxd command used inside:
https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L565

For reproduction:
With the busybox version:

echo
'D5CC8ACA2E8DE47F8E95EC390F51F2EDE227E85B01D79F3B13F4355692F2FB829B28D7E9872783C4F05A7A35B7FE3D3C72B6A23AA9E95240ADAECE5DBCB611384442A3436A9C2884ABBE4E2BCAF302C053367B3ADAACB545E9F5F4FB8FF1CDB52F99DF2D392EC9B087707B43D89
99988752E245860FEB2D6C10F310E9D9D5AC35A4ADB2672C92286CBC6F4399F29D8207870AAA31D9CFFB3F5234F0B85A7BB005B6C45B6F72BD8FF809033A74657E4FD4C80FEBED64800768EC20B12AF1C4FC83BFFE87C4BA7A15218DB9EE377A0F5EB16CF4680CFAD2431A41B3B2ED3D1A1CFC8B60B1F
B7DFBA5CEFFABF6E86B552C5028A053BBAADE440A3CC087D7073156D' | xxd -r -p

Produces the following binary output:

While running the same command with the separately installed xxd produces:

The busybox's xxd can produce the same (correct) output if I override the implicit (-c30) parameter to a larger number (ex.: 999) explicitly.

xxd -r -p -c 999

In conclusion: The busybox version of xxd "works as stated", but it implies a limit of 30 bytes (if not set otherwise explicitly), while the official xxd converts the full HEX input, without setting the '-c' parameter.

Neilpang · 2021-02-24T23:46:46Z

fixed, please try again with dev branch.

acme.sh --upgrade -b dev

Hiroko103 · 2021-02-25T16:46:05Z

Works fine with the fixed version (tried with both the busybox's and the official binary to make sure nothing went wrong).
Thank you for the fix!

* change arvan api script * change Author name * change name actor * Updated --preferred-chain to issue ISRG properly To support different openssl crl2pkcs7 help cli format * dnsapi/pdns: also normalize json response in detecting root zone * Chain (acmesh-official#3408) * fix acmesh-official#3384 match the issuer to the root CA cert subject * fix format * fix acmesh-official#3384 * remove the alt files. acmesh-official#3384 * upgrade freebsd and solaris * duckdns - fix "integer expression expected" errors (acmesh-official#3397) * fix "integer expression expected" errors * duckdns fix * Update dns_duckdns.sh * Update dns_duckdns.sh * Implement smtp notify hook Support notifications via direct SMTP server connection. Uses Python (2.7.x or 3.4+) to communicate with SMTP server. * Make shfmt happy (I'm open to better ways of formatting the heredoc that embeds the Python script.) * Only save config if send is successful * Add instructions for reporting bugs * Prep for curl or Python; clean up SMTP_* variable usage * Implement curl version of smtp notify-hook * More than one blank line is an abomination, apparently I will not try to use whitespace to group code visually * Fix: Unifi deploy hook support Unifi Cloud Key (acmesh-official#3327) * fix: unifi deploy hook also update Cloud Key nginx certs When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes acmesh-official#3326 * Improve settings documentation comments * Improve Cloud Key pre-flight error messaging * Fix typo * Add support for UnifiOS (Cloud Key Gen2) Since UnifiOS does not use the Java keystore (like a Unifi Controller or Cloud Key Gen1 deploy), this also reworks the settings validation and error messaging somewhat. * PR review fixes * Detect unsupported Cloud Key java keystore location * Don't try to restart inactive services (and remove extra spaces from reload command) * Clean up error messages and internal variables * Change to _getdeployconf/_savedeployconf * Switch from cp to cat to preserve file permissions * feat: add huaweicloud error handling * fix: fix freebsd and solaris * support openssl 3.0 fix acmesh-official#3399 * make the fix for rsa key only * Use PROJECT_NAME and VER for X-Mailer header Also add X-Mailer header to Python version * Add _clearaccountconf_mutable() * Rework read/save config to not save default values Add and use _readaccountconf_mutable_default and _saveaccountconf_mutable_default helpers to capture common default value handling. New approach also eliminates need for separate underscore-prefixed version of each conf var. * Implement _rfc2822_date helper * Clean email headers and warn on unsupported address format Just in case, make sure CR or NL don't end up in an email header. * Clarify _readaccountconf_mutable_default * Add Date email header in Python implementation * Use email.policy.default in Python 3 implementation Improves standards compatibility and utf-8 handling in Python 3.3-3.8. (email.policy.default becomes the default in Python 3.9.) * Prefer Python to curl when both available * Change default SMTP_SECURE to "tls" Secure by default. Also try to minimize configuration errors. (Many ESPs/ISPs require STARTTLS, and most support it.) * Update dns_dp.sh 没有encode中文字符会导致提交失败 * No need to include EC parameters explicitly with the private key. (they are embedded) * Fixes response handling and thereby allow issuing of subdomain certs * Adds comment * fix acmesh-official#3402 * dnsapi/ionos: Use POST instead of PATCH for adding TXT record The API now supports a POST route for adding records. Therefore checking for already existing records and including them in a PATCH request is no longer necessary. * fix acmesh-official#3433 * fix acmesh-official#3019 * fix format * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * Update dns_servercow.sh to support wildcard certs Updated dns_servercow.sh to support txt records with multiple entries. This supports wildcard certificates that require txt records with the same name and different contents. * fix acmesh-official#3312 * fix format * feat: add dns_porkbun * fix: prevent rate limit Co-authored-by: Vahid Fardi <vahid.fardi@snapp.cab> Co-authored-by: neil <github@neilpang.com> Co-authored-by: Gnought <1684105+gnought@users.noreply.github.com> Co-authored-by: manuel <manuel@mausz.at> Co-authored-by: jerrm <jerrm@users.noreply.github.com> Co-authored-by: medmunds <medmunds@gmail.com> Co-authored-by: Mike Edmunds <github@to.mikeedmunds.com> Co-authored-by: Easton Man <manyang.me@outlook.com> Co-authored-by: czeming <loser_wind@163.com> Co-authored-by: Geert Hendrickx <geert@hendrickx.be> Co-authored-by: Kristian Johansson <kristian.johansson86@gmail.com> Co-authored-by: Lukas Brocke <lukas@brocke.net> Co-authored-by: anom-human <80478363+anom-human@users.noreply.github.com> Co-authored-by: neil <win10@neilpang.com> Co-authored-by: Quentin Dreyer <quentin.dreyer@rgsystem.com>

akulumbeg pushed a commit to akulumbeg/acme.sh that referenced this issue Mar 21, 2021

fix acmesh-official#3402

9e5ae30

Neilpang closed this as completed in 9a90fe3 Apr 7, 2021

mjbnz pushed a commit to mjbnz/acme.sh that referenced this issue Apr 8, 2021

fix acmesh-official#3402

4227c9c

Sp1l pushed a commit to Sp1l/acme.sh that referenced this issue Aug 10, 2021

fix acmesh-official#3402

e0946b8

Sp1l pushed a commit to Sp1l/acme.sh that referenced this issue Aug 10, 2021

fix acmesh-official#3402

2c253c9

HQJaTu pushed a commit to HQJaTu/acme.sh that referenced this issue Aug 10, 2023

fix acmesh-official#3402

ab88f50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

key too small: 240 #3402

key too small: 240 #3402

falconsapsan commented Feb 10, 2021 •

edited

Loading

Hiroko103 commented Feb 23, 2021

Hiroko103 commented Feb 23, 2021 •

edited

Loading

Neilpang commented Feb 24, 2021

Hiroko103 commented Feb 24, 2021

Neilpang commented Feb 24, 2021

Hiroko103 commented Feb 25, 2021

key too small: 240 #3402

key too small: 240 #3402

Comments

falconsapsan commented Feb 10, 2021 • edited Loading

Steps to reproduce

Debug log

Hiroko103 commented Feb 23, 2021

Hiroko103 commented Feb 23, 2021 • edited Loading

Neilpang commented Feb 24, 2021

Hiroko103 commented Feb 24, 2021

Neilpang commented Feb 24, 2021

Hiroko103 commented Feb 25, 2021

falconsapsan commented Feb 10, 2021 •

edited

Loading

Hiroko103 commented Feb 23, 2021 •

edited

Loading