Help with Google Cloud DNS auth

mattmunro · August 19, 2020, 4:31am

I’m trying to setup for our windows servers to use Lets Encrypt, I’ve already been able to do this using the same method on our linux servers using certbot.

The keyfile is created against the same service account that is working currently for certbot.

I get the following when I hit test

Powershell/PoshACME DNS :: Error - RuntimeException: Unsupported RSA key size. Must be 2048-4096 in 8 bit increments.
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
at Certify.Management.PowerShellManager.InvokePowershell(CertificateRequestResult result, String executionPolicy, String scriptFile, Dictionary`2 parameters, String scriptContent, PowerShell shell) in C:\Work\GIT\certify_5.0.x\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 182
at Certify.Management.PowerShellManager.d__0.MoveNext() in C:\Work\GIT\certify_5.0.x\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 90

I am unable to find where I can configure this keysize option, anyone else been able to use Google Cloud DNS? Client version is 5.0.12.0.

I was able to create a cert using manual dns, naturally I don’t want to have that as the deployed option

webprofusion · August 19, 2020, 9:13am

Hi,

I’ve recently been testing Google Cloud DNS for another issue and can confirm that it does work but there may be an environmental or configuration reason it’s not working for you. Can you try out this test update to see if the issue still occurs: Version 5.1.0 (Release Candidate) testing

If the problem still occurs can you confirm which version of Windows this is for (Server 2019 etc) and which version of Powershell is installed: https://adamtheautomator.com/check-powershell-version/

webprofusion · August 19, 2020, 9:23am

Note also that this method is using https://github.com/rmbolger/Posh-ACME/blob/master/Posh-ACME/DnsPlugins/GCloud-Readme.md

As part of the conversation with Google Cloud it uses a Json Web Signature and in Posh-ACME this is expected to be an RSA key. The normal generated Google key is fine but did you upload a custom key?

github.com

rmbolger/Posh-ACME/blob/abe0521df04345a62137a03228230f5935deb5f5/Posh-ACME/Private/New-Jws.ps1#L35


# https://tools.ietf.org/html/rfc8555



if ('Asymmetric' -eq $PSCmdlet.ParameterSetName) {



    # validate the key type

    if ($Key -is [Security.Cryptography.RSA]) {



        # validate the key size

        # LE supports 2048-4096

        # Windows claims to support 8-bit increments (mod 128)

        if ($Key.KeySize -lt 2048 -or $Key.KeySize -gt 4096 -or ($Key.KeySize % 128) -ne 0) {

            throw "Unsupported RSA key size. Must be 2048-4096 in 8 bit increments."

        }



        # make sure we have a private key to sign with

        if ($Key.PublicOnly) {

            throw "Supplied Key has no private key portion."

        }



    } elseif ($Key -is [Security.Cryptography.ECDsa]) {

webprofusion · August 19, 2020, 9:24am

So the short answer would be to generate a new key for your service account and try that (your existing keys can remain active).

mattmunro · August 20, 2020, 2:10am

I’m suspecting this is the good old crlf issue between linux and windows, I created a new key in the console and it was fine.
Thanks

webprofusion · August 20, 2020, 2:25am

Ah interesting, I don’t see anything in the Posh-ACME code that’s dependent on line endings but there could be something somewhere:

github.com

rmbolger/Posh-ACME/blob/9ded067a4aa2b1e9de8ade29d03ed607b73d4554/Posh-ACME/Private/Import-Pem.ps1

function Import-Pem {
    [CmdletBinding()]
    param(
        [Parameter(ParameterSetName='File',Mandatory,Position=0)]
        [string]$InputFile,
        [Parameter(ParameterSetName='String',Mandatory)]
        [string]$InputString
    )

    # DER uses TLV (Tag/Length/Value) triplets.
    # First byte is the tag - https://en.wikipedia.org/wiki/X.690#Types
    # Second byte is either the total length of the value when less than 0x80 (128)
    #     or the number of bytes that make up the value not counting the most significant bit (the 8)
    #     So 0x77 (less than 0x80) means length is 119 (0x77) bytes
    #        0x82 (more than 0x80) means the length is the next 2 (0x82-0x80) bytes
    # Value starts the byte after the length bytes end

    if ('File' -eq $PSCmdlet.ParameterSetName) {
        # normalize the file path and read it in
        $InputFile = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($InputFile)

This file has been truncated. show original

ctwc2325 · June 25, 2023, 12:02am

I encountered this today as well - it seems that for whatever reason, the GCP console’s JSON file can generate files which trigger this error. I had tried toggling the CRLF and it didn’t work with the invalid key. I just regenerated a key in the console and that worked fine.