acmesh-official
diff --git a/Collapse file
‎README.md‎
Copy file name to clipboardExpand all lines: README.md
+17-18Lines changed: 17 additions & 18 deletions
Display the source diff
Display the rich diff b/Collapse file
‎README.md‎
Copy file name to clipboardExpand all lines: README.md
+17-18Lines changed: 17 additions & 18 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎acme.sh‎
Copy file name to clipboardExpand all lines: acme.sh
+24-9Lines changed: 24 additions & 9 deletions b/Collapse file
‎acme.sh‎
Copy file name to clipboardExpand all lines: acme.sh
+24-9Lines changed: 24 additions & 9 deletions
diff --git a/Collapse file
‎dnsapi/dns_cf.sh‎
Copy file name to clipboardExpand all lines: dnsapi/dns_cf.sh
+3-1Lines changed: 3 additions & 1 deletion b/Collapse file
‎dnsapi/dns_cf.sh‎
Copy file name to clipboardExpand all lines: dnsapi/dns_cf.sh
+3-1Lines changed: 3 additions & 1 deletion
@@ -208,6 +208,8 @@ The certs will be placed in `~/.acme.sh/example.com/`
 
 The certs will be renewed automatically every **60** days.
 
+The certs will default to ECC certificates.
+
 More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
 
 
@@ -359,36 +361,33 @@ Ok, it's done.
 
 **Please use dns api mode instead.**
 
-# 10. Issue ECC certificates
+# 10. Issue certificates of different key types and lengths (ECC or RSA)
+
+Just set the `keylength` to a valid, supported, value.
+
+Valid values for the `keylength` parameter are:
 
-Just set the `keylength` parameter with a prefix `ec-`.
+1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)**
+2. **ec-384 (secp384r1,  "ECDSA P-384")**
+3. **ec-521 (secp521r1,  "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
+4. **2048   (RSA2048)**
+5. **3072   (RSA3072)**
+6. **4096   (RSA4096)**
 
 For example:
 
-### Single domain ECC certificate
+### Single domain with ECDSA P-384 certificate
 
 ```bash
-acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
+acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-384
 ```
 
-### SAN multi domain ECC certificate
+### SAN multi domain with RSA4096 certificate
 
 ```bash
-acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
+acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength 4096
 ```
 
-Please look at the `keylength` parameter above.
-
-Valid values are:
-
-1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)**
-2. **ec-384 (secp384r1,  "ECDSA P-384")**
-3. **ec-521 (secp521r1,  "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
-4. **2048   (RSA2048)**
-5. **3072   (RSA3072)**
-6. **4096   (RSA4096)**
-
-
 # 11. Issue Wildcard certificates
 
 It's simple, just give a wildcard domain as the `-d` parameter.
 
@@ -1250,7 +1250,7 @@ _idn() {
   fi
 }
 
-#_createcsr  cn  san_list  keyfile csrfile conf acmeValidationv1
+#_createcsr  cn  san_list  keyfile csrfile conf acmeValidationv1 extendedUsage
 _createcsr() {
   _debug _createcsr
   domain="$1"
@@ -1259,6 +1259,7 @@ _createcsr() {
   csr="$4"
   csrconf="$5"
   acmeValidationv1="$6"
+  extusage="$7"
   _debug2 domain "$domain"
   _debug2 domainlist "$domainlist"
   _debug2 csrkey "$csrkey"
@@ -1267,11 +1268,10 @@ _createcsr() {
 
   printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]" >"$csrconf"
 
-  if [ "$Le_ExtKeyUse" ]; then
-    _savedomainconf Le_ExtKeyUse "$Le_ExtKeyUse"
-    printf "\nextendedKeyUsage=$Le_ExtKeyUse\n" >>"$csrconf"
+  if [ "$extusage" ]; then
+    printf "\nextendedKeyUsage=$extusage\n" >>"$csrconf"
   else
-    printf "\nextendedKeyUsage=serverAuth\n" >>"$csrconf"
+    printf "\nextendedKeyUsage=serverAuth,clientAuth\n" >>"$csrconf"
   fi
 
   if [ "$acmeValidationv1" ]; then
@@ -4445,6 +4445,7 @@ issue() {
   _valid_from="${16}"
   _valid_to="${17}"
   _certificate_profile="${18}"
+  _extended_key_usage="${19}"
 
   if [ -z "$_ACME_IS_RENEW" ]; then
     _initpath "$_main_domain" "$_key_length"
@@ -4589,12 +4590,25 @@ issue() {
         return 1
       fi
     fi
-    if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF"; then
+    _keyusage="$_extended_key_usage"
+    if [ "$Le_API" = "$CA_GOOGLE" ] || [ "$Le_API" = "$CA_GOOGLE_TEST" ]; then
+      if [ -z "$_keyusage" ]; then
+        #https://github.com/acmesh-official/acme.sh/issues/6610
+        #google accepts serverauth only
+        _keyusage="serverAuth"
+      fi
+    fi
+    if ! _createcsr "$_main_domain" "$_alt_domains" "$CERT_KEY_PATH" "$CSR_PATH" "$DOMAIN_SSL_CONF" "" "$_keyusage"; then
       _err "Error creating CSR."
       _clearup
       _on_issue_err "$_post_hook"
       return 1
     fi
+    if [ "$_extended_key_usage" ]; then
+      _savedomainconf "Le_ExtKeyUse" "$_extended_key_usage"
+    else
+      _cleardomainconf "Le_ExtKeyUse"
+    fi
   fi
 
   _savedomainconf "Le_Keylength" "$_key_length"
@@ -5553,7 +5567,7 @@ renew() {
       _cleardomainconf Le_OCSP_Staple
     fi
   fi
-  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile"
+  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile" "$Le_ExtKeyUse"
   res="$?"
   if [ "$res" != "0" ]; then
     return "$res"
@@ -7469,6 +7483,7 @@ _process() {
   _valid_from=""
   _valid_to=""
   _certificate_profile=""
+  _extended_key_usage=""
   while [ ${#} -gt 0 ]; do
     case "${1}" in
 
@@ -7864,7 +7879,7 @@ _process() {
       shift
       ;;
     --extended-key-usage)
-      Le_ExtKeyUse="$2"
+      _extended_key_usage="$2"
       shift
       ;;
     --ocsp-must-staple | --ocsp)
@@ -8081,7 +8096,7 @@ _process() {
   uninstall) uninstall "$_nocron" ;;
   upgrade) upgrade ;;
   issue)
-    issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile"
+    issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile" "$_extended_key_usage"
     ;;
   deploy)
     deploy "$_domain" "$_deploy_hook" "$_ecc"
 
@@ -92,7 +92,9 @@ dns_cf_add() {
     if _contains "$response" "$txtvalue"; then
       _info "Added, OK"
       return 0
-    elif _contains "$response" "The record already exists"; then
+    elif _contains "$response" "The record already exists" ||
+      _contains "$response" "An identical record already exists." ||
+      _contains "$response" '"code":81058'; then
       _info "Already exists, OK"
       return 0
     else