Remove EC-521 (secp521r1) from the LetsEncrypt generation

[wattie]

If you try to generate a LetsEncrypt TLS certificate with EC-521, it will fail with the following error:

Cannot Execute Your Request

Details

<date><time> Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp: lookup acme-v02.api.letsencrypt.org on 127.0.0.1:53: server misbehaving
Certificate generation failed.

That's because LetsEncrypt does not support secp521r1 anymore. According to the LetsEcnrypt integration guide:

Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length, and P-256 and P-384 ECDSA keys.

Chromium also do not support secp521r1 so even if somehow it's possible to generate such cert, it's not in much use in the real world as both Edge and Chrome will not work with it.

I suggest that DA should stop provide support for EC-521. It misleads the customers to chose it (they are thinking that the greater number means a better security) and... it doesn't work so they call support.

 

[MaXi32]

Thanks for explanation. Was searching this and found your post. DA really needs to remove this misleading feature.