Hello, How do I use the certificates with --key-type ecdsa --elliptic-curve secp384r1 ? Which file should I change to? Thanks.
As far that I know, if you want an EC certificate from Let's Encrypt, you need to create your own certificate, and then ask Let's Encrypt to sign it using your LE Client's dns server plugin but your LE Client version must support it. Not this nor dns challenge is yet supported by ISPConfig. You can dry run to test that manually but to know which file to change you would have to learn that by yourselves as there is definitely no easy way. Read: https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc
That depends on what you are using. If you are using certbot you need to configure it described here: https://eff-certbot.readthedocs.io/en/stable/using.html#config-file If you are using acme.sh you need to set "Le_Keylength='ec-384'" in the configuration file for the domain for example in /root/.acme.sh/domain.tld/domain.tld.conf
Hi Ahrasis, Both certbot and acme.sh use ECDSA by default. Is there a reason for ispconfig to use rsa? https://community.letsencrypt.org/t...-other-upcoming-changes-in-certbot-2-0/177013 https://github.com/acmesh-official/acme.sh#:~:text=ec-256 (prime256v1, ",is the default key type) On another dedicated web server I am creating as follows: certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ --key-type ecdsa --elliptic-curve secp384r1 --reuse-key --staple- ocsp -d mydomain.com In ispconfig I found the file /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php with the information --keylength 4096 but I don't know if it works
Hi Pyte, I don't know which one I'm using. I did a new installation of ispconfig and in the site configuration, I checked the 2 options, ssl and letsencrypt. I found some configuration parameters in the file vim /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php but I haven't tested it yet
Just check if /root/.acme.sh/ is present or not. Thats not a good idea. See https://forum.howtoforge.com/threads/letsencrypt-ecc-certificates-with-ispconfig.83692/ which has some insights. It a bit older, but just chaning there will cause trouble
Hi pyte, The file exists and I changed it. How do I apply and regenerate the certificate? Only "acme.sh --renew -d mydomain.com --force" and reload ngnix is suficient? Thank you
The way you explained it doesn't work. I managed to make the ECC certificate by changing lines 77 and 171 of the /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php file, but the site continues to open with the old certificate. This must be happening because the new certificate goes into a new folder ending in _ecc in /root/.acme/mydomain.com_ecc so ispconfig cannot find this new folder ending in _ecc and copy the new certificates to /var/www/clients/ client0/web1/ssl/ Copying the certificates to the folder manually and restarting ngnix, it worked, but I will have problem with automatic renewal. Ideally, the developers would adjust to the folder ending in _ecc so that we can use the modern signature. I'll try to think of some way to update automatically by cron or systemd, but maybe I can't, because I'm a user, not a programmer. If someone with more experience knows and can help, any help is welcome.
About the folders, so far that I know the ISPConfig developers are mainly using default settings of acme.sh and did not customize them therefore custom folders are also not set. I do not want to advocate too much on custom changes either, since my knowledge of acme.sh are not deep enough, though I did suggest the creation customized folders for ISPConfig (fearing structural changes in acme.sh in the future) as well as ditching acme.sh install command with bash symlink command instead. I haven't been actively supporting ISPConfig with new ideas or codes with regards to Let's Encrypt because I think the current ones are working just fine and to code for both certbot and acme.sh upgrades will require a lot of times. For now, I can't give my times, however, @Th0m already started that and with helps from many he might finish them early. You also may want to check if there were already feature requests for this and its related and may be get involved to help improve what we already have.
That was just an idea based on the documentation of acme. However as @ahrasis already said, i don't encourage custom changes to ISPConfig either as it will be overwritten on updates and may cause issues that cannot be estimated.
Hi ahrasis, ispconfig uses the original acme.sh folders, and I think that's right. What happens, is that here, acme.sh decided to use folder with final _ecc to keep the 2 types of certificates. https://github.com/acmesh-official/acme.sh/pull/262 Here they started to use ECC by default, and then the folders ended with _ecc https://github.com/acmesh-official/acme.sh/commit/ec0e871592d286b8cd4e1d407411f0ba17c775e6 And this broke ispconfig, https://forum.howtoforge.com/threads/acme-sh-ecc-sufix.90093/ Fixed keeping the old key size, to continue using the rsa folder: https://git.ispconfig.org/ispconfig...t_id=39b6810cf9c42713fe543120e5d03a393a6f32ab Maybe it would be better to adjust to use the _ecc folder, or define the name of the folder. I would like to help and send the fixes, but I am not a programmer, I understand more about networking, I routed the ips of 2 oracle instances by vpn to the proxmox of my homelab and I am testing some panels to host my website and the best I found was the ispconfig. I can help by testing and suggesting improvements, my programming knowledge is limited. i opened a request in gitlab yesterday, any day browsers start supporting eddsa Hugs, Bruno
Hi Pyte, You're right, but developers should read our conversations. I'm just doing some tests, I only have 1 domain hosted, if there is any problem I restore the snapshot of the vm
Just to share with others that since version 2.0, Certbot by default is already issuing ECDSA for new LE SSL certs but will not update existing LE SSL certs to ECDSA type. For those who have certbot 2.0 in their ISPConfig server (those using snapd install normally is already updated with version 2.0), to get the ECDSA LE SSL certs, they will need to delete the existing certs (e.g. certbot delete intended.domain.tld) in the terminal and then untick and re-tick the Let's Encrypt button in the web settings. Resync tool may or may not work, but my basic test shows resync tool work too. This is verified and will only work with certbot 2.0 and above only.
I have an afterthought for Certbot 2.0, because other than the suggested approach above, there is one other way that may work i.e. via renewal of the certs. Thus wise, those who hesitate to delete the existing LE SSL certs due to it may break the website temporarily etc, may want to try to change its domain renewal conf file in renewal param section from "rsa_key_size = 4096" to "elliptic_curve = secp256r1" and add to its end "key_type = ecdsa". The said code should be in /etc/letsencrypt/renewal/domain.tld.conf. Example: Code: [renewalparams] ... elliptic_curve = secp256r1 ... ... key_type = ecdsa I have not tested this but but from my experience it will work on the renewal of the existing LE SSL certs, thus in this case, changing it to ECDSA type with the selected EC key strength, that can vary from 256, 384 and 512. I used 256 in my above example as it is the default and most backward compatible but some say 384 is the best for modern browsers, so it is up to you to decide, since these are manual approaches to migrate to the latest ECDSA type for your LE SSL certs. Again this is not tested.
Hii Ahrasis, According to the documentation it works. (if ispconfig command does not pass any parameters) "If you want to use ECDSA keys for all certificates in the future (including renewals of existing certificates), you can add the following line to Certbot’s configuration file: key-type = ecdsa which will take effect upon the next renewal of each certificate." https://eff-certbot.readthedocs.io/en/stable/using.html#:~:text=The type of key used,the size of RSA keys. for today secp256r1 is enough, secp384r1 and secp521r1 is future proof, but any day crome and mozilla start to pressure the cab forum (that's who decides) for these certification authorities to adopt EDDSA Thanks a lot for your help so far.
So far that I know, certbot renewal command set in daily nightly cron by ISPConfig comes without any parameters, thus yes, it probably should work, in theory, but proper test is better to verify it. As for acme.sh, if my memory still serves me good, it run its own cron which is not set by ISPConfig. Do check with the code and the Developers to confirm all of that.
I already noted that though I think the developers will need to study the folder structure for acme.sh before they can proceed to support that as well. In the meantime, for ISPConfig server with certbot 2.0, I wrote some short script for the upgrade that you can run in your /etc/letsencrypt/renewal folder to change all occurrences of "rsa_key_size = 4096" in renewal conf file to "elliptic_curve = secp256r1" and add to its end "key_type = ecdsa" which is as follows: Code: # Get into the Let's Encrypt Renewal Configurations directory cd /etc/letsencrypt/renewal/ # Search and replace rsa_key_size = 4096 to elliptic_curve = secp256r1 in all files grep -rl 'rsa_key_size = 4096' *.conf | xargs sed -i "s/rsa_key_size = 4096/elliptic_curve = secp256r1/g" # Add "key_type = ecdsa" if it does not exist at the end of respective conf files grep -RiL 'key_type = ecdsa' *.conf | xargs sed -i '$s/$/\nkey_type = ecdsa/g' Hopefully this is useful for bulk changes and upgrades to ECDSA type with EC 256 key strength. Though if you need higher strength just change it to 384 or 512, whichever you prefer it to be.
