Support removing clientAuth from extended key usage extension

[mdmower]

It should be possible to generate a CSR with only extendedKeyUsage=serverAuth. Currently, acme.sh hard codes extendedKeyUsage=serverAuth,clientAuth in the certificate signing request.

A use case is certificates with the CanSignHttpExchanges extension. Google does not allow clientAuth in the extended key usage field. Here's the response from https://dv-sxg.acme-v02.api.pki.goog/directory:

{
  "type":"urn:ietf:params:acme:error:badCSR",
  "detail":"SXG certificates do not support the clientAuth KeyPurposeId within the Extended Key Usage extension.",
  "requestID":"<redacted>"
}

More information:

• CAs that support CanSignHttpExchanges: https://github.com/google/webpackager/wiki/Certificate-Authorities (disregard the note about "sign up for access", it's not necessary)
• Google Trust Services, Certification Practice Statement v.5.8: Signed HTTP Exchange Certificate - this is where you can see the restriction on "extension:extkeyUsage" is that it includes id-kp-serverAuth (notice the omission of id-kp-clientAuth which is allowed by Domain Validation TLS Certificate).

Steps to reproduce

acme.sh --register-account -m "myemail@example.com" --server "https://dv-sxg.acme-v02.api.pki.goog/directory" --eab-kid "<google-cloud-keyId>" --eab-hmac-key "<google-cloud-b64MacKey>"
acme.sh --server "https://dv-sxg.acme-v02.api.pki.goog/directory" --issue -k ec-256 --dns dns_cf -d mysxg.example.com

Debug log

[Sat May  4 04:08:01 PM UTC 2024] Sign failed, finalize code is not 200.
[Sat May  4 04:08:01 PM UTC 2024] {"type":"urn:ietf:params:acme:error:badCSR","detail":"SXG certificates do not support the clientAuth KeyPurposeId within the Extended Key Usage extension.","requestID":"<redacted>"}

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.