new TLS certificates generate an error in Let's Encrypt
It seems we're assuming RSA and dehydrated is giving us an EC key, which breaks some expectations:
remote: 140254075098240:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
The full log:
torproject.net with alternative names: *.pages.torproject.net
remote: + Signing domains...
remote: + Generating private key...
remote: + Generating signing request...
remote: + Requesting new certificate order from CA...
remote: + Received 2 authorizations URLs from the CA
remote: + Handling authorization for pages.torproject.net
remote: + Handling authorization for pages.torproject.net
remote: + 2 pending challenge(s)
remote: + Deploying challenge tokens...
remote: Adding challenge '_acme-challenge.pages.torproject.net. 60 IN TXT "0-THV0y9IiRpyB2WIljXEB0m1XKXUD6DbC2jnfoDyF8"' for pages.torproject.net.
remote: Adding challenge '_acme-challenge.pages.torproject.net. 60 IN TXT "DICWz24CviBPdAPvsouHijsVZDKRc4KupDkE5ddbx4c"' for pages.torproject.net.
remote: 2021-01-28 21:42:53 /srv/dns.torproject.org/bin/update: ***** start of script *****
remote: 2021-01-28 21:42:53 /srv/dns.torproject.org/bin/update: pre flock
remote: 2021-01-28 21:42:53 /srv/dns.torproject.org/bin/update: pre git pull
remote: 2021-01-28 21:42:53 /srv/dns.torproject.org/bin/update: pre update-keys
remote: 2021-01-28 21:42:56 /srv/dns.torproject.org/bin/update: pre build-services
remote: 2021-01-28 21:42:56 /srv/dns.torproject.org/bin/update: pre for loop
remote: 2021-01-28 21:42:56 /srv/dns.torproject.org/bin/update: pre write_zonefile for 0-26.72.229.38.in-addr.arpa
remote: 2021-01-28 21:42:56 /srv/dns.torproject.org/bin/update: pre write_zonefile for 0.0.0.5.a.5.0.0.0.b.6.0.1.0.0.2.ip6.arpa
remote: 2021-01-28 21:42:56 /srv/dns.torproject.org/bin/update: pre write_zonefile for 1.0.0.0.5.0.0.0.0.0.5.8.7.0.6.2.ip6.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 144-28.132.35.154.in-addr.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 16-28.235.45.89.in-addr.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 2.8.0.0.0.0.0.5.0.0.8.8.4.0.6.2.ip6.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 30.172.in-addr.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 64-28.132.35.154.in-addr.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for 82.229.38.in-addr.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for b.0.0.0.0.b.6.0.0.0.0.0.0.2.6.2.ip6.arpa
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for onion-router.net
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for rev
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.com
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.net
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.org
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: pre dns-update
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: done!
remote: 2021-01-28 21:42:57 /srv/dns.torproject.org/bin/update: ***** end of script *****
remote: Waiting for master to update torproject.net (for _acme-challenge.pages.torproject.net) from 2021012805. Currently at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: Waiting for master to update torproject.net (for _acme-challenge.pages.torproject.net) from 2021012805. Currently at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: Waiting for secondaries to update to match master at 2021012806..
remote: + Responding to challenge for pages.torproject.net authorization...
remote: + Challenge is valid!
remote: + Responding to challenge for pages.torproject.net authorization...
remote: + Challenge is valid!
remote: + Cleaning challenge tokens...
remote: + Requesting certificate...
remote: + Using preferred chain with CN = DST Root CA X3
remote: + Checking certificate...
remote: + Done!
remote: + Creating fullchain.pem...
remote: Calling deploy for pages.torproject.net
remote: /srv/letsencrypt.torproject.org/bin/deploy called with pages.torproject.net
remote: 140254075098240:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
remote: Warning: No /srv/letsencrypt.torproject.org/var/extra/dh-.pem file found.
remote: sending incremental file list
remote: 359 100% 350.59kB/s 0:00:00 (xfr#4, to-chk=144/357)
remote:
remote: sent 21,562 bytes received 95 bytes 43,314.00 bytes/sec
remote: total size is 1,021,877 speedup is 47.18
remote: + Done!
and indeed, that is a EC key:
root@nevii:/srv/letsencrypt.torproject.org/var/result# head -1 pages.torproject.net.key
-----BEGIN EC PARAMETERS-----
@weasel any idea what that might be?