Netgate SG-1000 microFirewall

Author Topic: [Q] ACME giving a 2048 key instead of 4096  (Read 233 times)

0 Members and 1 Guest are viewing this topic.

Offline cbadk

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
[Q] ACME giving a 2048 key instead of 4096
« on: December 23, 2017, 03:24:51 am »
Hello,

When you set the key size to 4096, it gives you a 2048 instead.





Is this a bug or what might be the problem?

System:

Code: [Select]
PFsense (2.4.3-DEVELOPMENT (amd64) built on Fri Dec 22 17:44:26 CST 2017 )
ACME 0.1.30
haproxy 0.54_2

Haproxy SSL config:

Code: [Select]
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


//cbadk
« Last Edit: December 23, 2017, 03:40:41 am by cbadk »

Offline PiBa

  • Hero Member
  • *****
  • Posts: 871
  • Karma: +140/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: [Q] ACME giving a 2048 key instead of 4096
« Reply #1 on: December 23, 2017, 09:48:53 am »
Could it be you changed the keysize after already creating the same certificate before?
I just tried to create a (new) cert with 4096 keysize inside acme package and that seemed to work fine.

If there is a problem its probably on the acme side. haproxy wont change the keysize on a cert, also you can double check in System\CertificateManager and download the cert there. It should also be 2048 in your current case. So haproxy using that cert wont have any other option than to present what was available from the CertificateManager..

Offline cbadk

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: [Q] ACME giving a 2048 key instead of 4096
« Reply #2 on: December 24, 2017, 12:53:20 am »
Hi,

Thanks for the feedback.

I downloaded the the certificate in the cert manager and it says 2048 aswell.

I noticed that for some weird reason after I tried out the DNS NS update option, it now shows: "Key Type: Host Key, Key Algorithm: HMAC-MD5" on all keys like this:
 


...even when creating a new domains....



Maybe I should try and reinstall it and clean up the old files in /tmp?


« Last Edit: December 24, 2017, 01:22:59 am by cbadk »

Offline PiBa

  • Hero Member
  • *****
  • Posts: 871
  • Karma: +140/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: [Q] ACME giving a 2048 key instead of 4096
« Reply #3 on: December 24, 2017, 10:00:14 am »
Hostkey and keyalgo would be coming from 'old' settings that are now hidden in the edit view but still present in the configuration.. They are harmless, to get rid of them just add a new SAN list item, instead of cloning the existing one? Then manually take over the required information and remove the previous one.

Reinstalling the package wont help, it doesn't (and shouldn't) clear all configuration settings when removed..