EC keys not accepted everywhere, --key-type option hard to find in docs

[devinlane]

This one will be easy to chalk up as PEBKAC, but here's what I ran into this evening:

1. First time user of lego; generate wildcard cert using cloudflare dns handler. Works great.
2. Upload cert and key to Linode Nodebalancer config. Private key is rejected as "not being formatted correctly"
3. Try various other forms of the key, to no avail.
4. Generate a cert using certbot, works perfectly first try.
5. Friend discovers --key-type by reading issues and the source code.
6. I look through docs on https://go-acme.github.io/lego/usage/cli/. See no mention of --key-type. Then we discover that the tiny "CLI help" text under usage that I had initially read right past is actually a BUTTON that shows the entire helptext.

So I guess in summary, if lego is going to default to EC384 which doesn't seem to be (yet) supported everywhere, perhaps that could be made more obvious (to me at least haha) in the examples? A single example saying "Generate RSA Keys for services that don't support EC384" might have clued me in.

Either way, thanks for lego! Working quite well now after working that out.

[dmke]

The "CLI help" button is already gone, and #1163 could fix the documentation issue. Your feedback on that PR is much appreciated.

The P384 curve is part of the NSA suite B, so if your implementation claims to support ECC keys, it will at least both P256 and P384 (P521 was discussed for a while but then dropped by Chrome and Firefox). Anyway, Lego v4 (just released) changed the default to P256.

[jwalton]

I ran into the same problem, but in my case I'm using a Synology which doesn't support ECC at all. :( Thanks for the pro-tip though @devinlane!