Error in Ledger SatStack: “tls: failed to verify certificate: x509: ‘bitcoind.embassy’ certificate is using a broken key size”

[bushev]

I encountered an issue while attempting to connect Ledger SatStack to my Start9 Bitcoin node. The application displays the following error:

tls: failed to verify certificate: x509: "bitcoind.embassy" certificate is using a broken key size

Steps Taken:

1. Certificate Installation: The node’s leaf certificate has been installed in Keychain Access on macOS and marked as Always Trusted.
2. Other Wallets: Other wallets (e.g., Sparrow, Electrum) connect to the same Bitcoin node over HTTPS without any issues.
3. Ledger SatStack Configuration: The application was configured to connect to the node using HTTPS.

Observations:

1. The certificate uses the ED25519 algorithm with a 256-bit key size, which is widely recognized as secure. However, the error suggests the key size is considered “broken,” which might indicate a compatibility issue in the libraries used by Ledger SatStack.
2. The issue might stem from an outdated version of Go or OpenSSL, as older versions lack support for ED25519 certificates.

Steps to Reproduce:

1. Install the Bitcoin node’s leaf certificate in Keychain Access and mark it as Always Trusted.
2. Configure Ledger SatStack to connect to the Bitcoin node over HTTPS.
3. Start SatStack and attempt to make a connection to the node.

Expected Behavior:

Ledger SatStack successfully connects to the Bitcoin node, as other wallets do.

Actual Behavior:

Ledger SatStack fails with the error:
tls: failed to verify certificate: x509: "bitcoind.embassy" certificate is using a broken key size.

Additional Information:

• Operating System: macOS
• Certificate Algorithm: ED25519
• Other Applications: Successfully connect to the same node over HTTPS

Thank you!

openssl x509 -in bitcoind.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            89:13:8e:69:f5:5f:87:c3
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=StartOS Local Intermediate CA, O=Start9, OU=StartOS
        Validity
            Not Before: Jan 11 20:49:42 2025 GMT
            Not After : Feb 13 20:49:42 2026 GMT
        Subject: CN=bitcoind.embassy, O=Start9, OU=StartOS
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    5b:6b:30:ed:72:01:8e:00:95:d8:3a:0e:3f:78:21:
                    82:8c:5b:1b:a9:51:c4:6e:c8:4e:9e:6f:9f:2a:e6:
                    81:9d
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                07:02:23:9F:B4:63:5A:0A:44:87:F7:59:D9:CD:7D:FE:FD:DF:E7:35
            X509v3 Authority Key Identifier:
                keyid:4B:B8:DF:74:91:84:E5:E2:4A:15:05:BE:3C:EC:88:4A:00:64:DD:7D
                DirName:/CN=bald-gun Local Root CA/O=Start9/OU=StartOS
                serial:74:37:B4:37:BD:D5:42:30
            X509v3 Subject Alternative Name:
                DNS:bitcoind.embassy, DNS:*.bitcoind.embassy, DNS:ln**REDACTED**qd.local, DNS:*.ln**REDACTED**qd.local, DNS:ln**REDACTED**qd.onion, DNS:*.ln**REDACTED**qd.onion, IP Address:10.0.20.231, IP Address:172.18.0.5
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:46:02:21:00:d0:4d:dc:1f:5c:bd:10:f6:a5:99:35:8e:53:
        46:9d:dd:e9:2b:fb:65:72:a4:c9:01:99:56:69:16:cb:dc:92:
        05:02:21:00:ba:ab:da:02:63:89:3a:8b:62:d1:91:5e:9e:fc:
        1e:fa:2e:e1:a9:b4:7c:b1:b3:06:c1:08:31:ca:57:94:2c:84

[bushev]

@michaelryan7 Nice try