FXServer (FiveM) does not support EC certificates for TLS

[mcdnl90]

What happened?

Hello,

I've been trying to use the EC certificate that Caddy (HTTP Server) generates with its automation, but looks like the current version
of FXServer (7436) doesn't support them. It's a wildcard certificate, generated by the default config of Caddy's TLS module, using DNS validation, with Godaddy as Service Provider.

It prints out this error:

[ STDERR] PKCS #8 private key decoding failed with PKCS #8: Unknown PEM label EC PRIVATE KEY

Expected result

Certificate loads and works

Reproduction steps

1. Set up Caddy with automatic TLS for a wildcard (*.example.com).
   Caddyfile content, with domain replaced by example.com:

*.example.com {
    tls {
        dns godaddy {env.GODADDY_TOKEN}
    }

    @play host play.example.com
    handle @play {
        reverse_proxy localhost:30120
        header X-Real-IP {remote}
    }

    @admin host admin.example.com
    handle @admin {
        reverse_proxy localhost:40120
    }
}

Certificate generated, with identifying data redacted:

$ openssl x509 -in cert.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <redacted>
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Feb  8 00:00:00 2024 GMT
            Not After : May  8 23:59:59 2024 GMT
        Subject: CN = <redacted>
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    <redacted>
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3
            X509v3 Subject Key Identifier: 
                <redacted>
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.78
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1
            Authority Information Access: 
                CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt
                OCSP - URI:http://zerossl.ocsp.sectigo.com
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : <redacted>
                    Timestamp : Feb  8 19:00:56.584 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                <redacted>
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : <redacted>
                    Timestamp : Feb  8 19:00:56.768 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                <redacted>
            X509v3 Subject Alternative Name: 
                DNS:<redacted>
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        <redacted>

2. Replace:

• FXServer/server/alpine/opt/cfx-server/server-tls.crt
• FXServer/server/alpine/opt/cfx-server/server-tls.key

3. Restart server.

Importancy

Slight inconvenience

Area(s)

FiveM, FXServer

Specific version(s)

7436

Additional information

Running on linux, Ubuntu 22.04 LTS x86_64, as a non-privileged user.

[blattersturm]

Can you check if this works if you convert the key to PKCS#8 format? As https://forum.cfx.re/t/how-to-replace-the-server-tls-certificate-with-your-own/162155 implies, "BEGIN RSA PRIVATE KEY" isn't supported either, so this isn't something specific to EC.

…

On Tue, Feb 13, 2024, 21:31 mcdnl90 ***@***.***> wrote: What happened? Hello, I've been trying to use the EC certificate that Caddy (HTTP Server) generates with its automation, but looks like the current version of FXServer (7436) doesn't support them. It's a wildcard certificate, generated by the default config of Caddy's TLS module, using DNS validation, with Godaddy as Service Provider. It prints out this error: [ STDERR] PKCS #8 private key decoding failed with PKCS #8: Unknown PEM label EC PRIVATE KEY Expected result Certificate loads and works Reproduction steps 1. Set up Caddy with automatic TLS for a wildcard (*.example.com). Caddyfile content, with domain replaced by example.com: *.example.com { tls { dns godaddy {env.GODADDY_TOKEN} } @play host play.example.com handle @play { reverse_proxy localhost:30120 header X-Real-IP {remote} } @admin host admin.example.com handle @admin { reverse_proxy localhost:40120 } } Certificate generated, with identifying data redacted: $ openssl x509 -in cert.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: <redacted> Signature Algorithm: ecdsa-with-SHA384 Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA Validity Not Before: Feb 8 00:00:00 2024 GMT Not After : May 8 23:59:59 2024 GMT Subject: CN = <redacted> Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: <redacted> ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: 0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3 X509v3 Subject Key Identifier: <redacted> X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.78 CPS: https://sectigo.com/CPS Policy: 2.23.140.1.2.1 Authority Information Access: CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt OCSP - URI:http://zerossl.ocsp.sectigo.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : <redacted> Timestamp : Feb 8 19:00:56.584 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 <redacted> Signed Certificate Timestamp: Version : v1 (0x0) Log ID : <redacted> Timestamp : Feb 8 19:00:56.768 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 <redacted> X509v3 Subject Alternative Name: DNS:<redacted> Signature Algorithm: ecdsa-with-SHA384 Signature Value: <redacted> 1. Replace: - FXServer/server/alpine/opt/cfx-server/server-tls.crt - FXServer/server/alpine/opt/cfx-server/server-tls.key 1. Restart server. Importancy Slight inconvenience Area(s) FiveM, FXServer Specific version(s) 7436 Additional information Running on linux, Ubuntu 22.04 LTS x86_64, as a non-privileged user. — Reply to this email directly, view it on GitHub <#2390>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF3QBATHNTGAXHHRIGPFFTTYTPEQJAVCNFSM6AAAAABDHEN6T2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEZTGMBYGAZTMMY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[mcdnl90]

Can you check if this works if you convert the key to PKCS#8 format? As https://forum.cfx.re/t/how-to-replace-the-server-tls-certificate-with-your-own/162155 implies, "BEGIN RSA PRIVATE KEY" isn't supported either, so this isn't something specific to EC.
…

Hello,

Yes, thanks, that works.
But this would break the automation as I can't use the default files it generates, meaning I'd have to convert the key manually on each update. I could set up a cron for this, but the ideal scenario would be having the ability to use the key as-is.

[mcdnl90]

Thinking of it, if the rotation process doesn't generate a new key, it shouldn't be an issue, but I don't know the actual behaviour.
I'll check the Caddy plugin.