You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that for some reason Teleport (currently running the current 17.x version) has started to try to ask the ACME server for TLS server certificates with an ECC key. Our ACME server is only capable of (well, configured to) issuing RSA certificates.
How can I switch that back? Right now, the first certificates have expired, and new ones can't be issued, causing web resources to be inaccessible.
this is the error that gets logged (the "Illegal key algorithm, not authorized by certificate profile: ECDSA" comes from our CA):
Mar 09 14:26:54 teleport.example.org teleport[952555]: 2026-03-09T14:26:54.735+01:00 WARN [ALPN:PROX] Failed to handle client connection. error:[
Mar 09 14:26:54 teleport.example.org teleport[952555]: ERROR REPORT:
Mar 09 14:26:54 teleport.example.org teleport[952555]: Original Error: *acme.Error 400 urn:ietf:params:acme:error:badCSR: Illegal key algorithm, not authorized by certificate profile: ECDSA.
Mar 09 14:26:54 teleport.example.org teleport[952555]: Stack Trace:
Mar 09 14:26:54 teleport.example.org teleport[952555]: github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:428 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
Mar 09 14:26:54 teleport.example.org teleport[952555]: github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:346 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
Mar 09 14:26:54 teleport.example.org teleport[952555]: runtime/asm_amd64.s:1700 runtime.goexit
Mar 09 14:26:54 teleport.example.org teleport[952555]: User Message: 400 urn:ietf:params:acme:error:badCSR: Illegal key algorithm, not authorized by certificate profile: ECDSA.] alpnproxy/proxy.go:357
Mar 09 14:26:54 teleport.example.org teleport[952555]: 2026-03-09T14:26:54.742+01:00 WARN [ALPN:PROX] Failed to handle client connection. error:[
Mar 09 14:26:54 teleport.example.org teleport[952555]: ERROR REPORT:
Mar 09 14:26:54 teleport.example.org teleport[952555]: Original Error: *errors.errorString acme/autocert: missing certificate
Mar 09 14:26:54 teleport.example.org teleport[952555]: Stack Trace:
Mar 09 14:26:54 teleport.example.org teleport[952555]: github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:428 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
Mar 09 14:26:54 teleport.example.org teleport[952555]: github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:346 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
Mar 09 14:26:54 teleport.example.org teleport[952555]: runtime/asm_amd64.s:1700 runtime.goexit
Mar 09 14:26:54 teleport.example.org teleport[952555]: User Message: acme/autocert: missing certificate] alpnproxy/proxy.go:357
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all,
I noticed that for some reason Teleport (currently running the current 17.x version) has started to try to ask the ACME server for TLS server certificates with an ECC key. Our ACME server is only capable of (well, configured to) issuing RSA certificates.
How can I switch that back? Right now, the first certificates have expired, and new ones can't be issued, causing web resources to be inaccessible.
this is the error that gets logged (the "Illegal key algorithm, not authorized by certificate profile: ECDSA" comes from our CA):
Beta Was this translation helpful? Give feedback.
All reactions