ACME server: RFC 8555 violation: Support ES256

[mholt]

Hi there,

Following up on #3729. "Unsupported JWS algorithm: ES256"

RFC 8555:

An ACME server MUST implement the "ES256" signature algorithm
[RFC7518] and SHOULD implement the "EdDSA" signature algorithm using
the "Ed25519" variant (indicated by "crv") [RFC8037].

Making new issue as requested. :) Thanks!

[edewata]

Hi, thanks for the ticket! Are you using ACME with IPA or with a standalone Dogtag PKI?

[mholt]

I don't know for sure, it's in relation to one of our users who hit the same error as in the linked issue above. Here's what I know:

https://caddy.community/t/caddy-and-freeipa-dogtag-signature-of-type-es256-not-supported-try-again-with-rs256/21972

I use FreeIPA’s built-in Dogtag instance as my central certificate authority.
...
For me, the quickest and easiest way to integrate all internal services is to simply grab the certificates from Dogtag through ACME.

[edewata]

Looks like it's used with IPA. Thanks!

[edewata]

@rcritten FYI

[Goju-Sulfam]

Hello everyone. I am said user and I confirm that I use the FreeIPA embedded Dogtag. If I can be of assistance, please let me know.

[bak-minsu]

I put in some time to address this:
https://github.com/bak-minsu/dogtagpki-pki

However, I'm quite new to contributing to open source projects. Will put in a PR once I figure out how to properly run the CI tests

[francislavoie]

You can probably just open the PR which will run CI via this repo. Mark your PR as draft until it's ready for someone's review.

[bak-minsu]

Opened Issue under JSS project as it does not currently support generating public key using Elliptic Curve, which needs to be used to validate the signature.