ECDSA/ECC certificates

As ECDSA/ECC certificates are becoming more and more common,
and both Certbot and Acme.sh support them,
and both Apache and Nginx support ECDSA and RSA side by side,
it should become the next standard to enroll and implement both certificate types in websites when 'Let's Encrypt' gets checked within ISPConfig.

I already use both certificate types side by side on a non-ISPConfig server which works like a charm.
It shouldn't be to difficult to do the same in ISPConfig.

 

This is what I learned so far.

If you can explain how this is done and how it works so may be some of us can have a try first.

 

Just duplicate the lines about the certificate in your webconfig.
Based on the ssl cipher the client and server agree to use you'll get the ecc or rsa certificate.
In my case most clients will get ecc because ecdsa ciphers are prefered by the server and older clients will get rsa.

Here is an example from a nginx webserver I'm using:

Code:

# ECDSA certificate
ssl_certificate "/pathtocerts/domain_ecc/domain.cer";
ssl_certificate_key "/pathtocerts/domain_ecc/domain.key";

# RSA certificate
ssl_certificate "/pathtocerts/domain/domain.cer";
ssl_certificate_key "/pathtocerts/domain/domain.key";

ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Apache works about the same way.

I've read some stories about problems with certificate chains.
On apache they apparently need to be the same but that shouldn't be an issue as the chain is the same when enrolled by acme.sh or certbot.
At least when using letsencrypt.

 

Thank you for sharing.

It seems easy enough to be implemented without a need to wait for ISPConfig 3.3, at least if the ISPConfig developers are in agreement.

I'll check that out and test them before writing the necessary modifications to ISPConfig letsencrypt files on my level.

By the way, what is the exact command you use to issue the ecdsa/ecc LE certs as that would be useful too in writing the mods.

 

It's just a matter of running certbot or acme.sh twice.
For acme.sh it's as easy as running the command with --keylength 4096 (is ISPConfig's default if I'm not mistaking) for rsa and again for ecdsa with --keylength ec-384 (or another size).
When using certbot it's --key-type rsa --rsa-key-size 4096 and --key-type ecdsa --elliptic-curve secp384r1

Regarding certbot you do need to build in a version check I think.
Ubuntu's default certbot package (which is the distro I use) is way way old!! Version 0.40.0
Certbot supports ECDSA since version 1.10
Newer certbot versions are easy to install using snap for example.
I have no clue about certbot packages in other linux distro's.

Also the webserver version needs to be modern enough.
Apache 2.4.8 or above and Nginx 1.11.0 or above.

 

I am running both in parallel with ISPC. I documented my effort here:
https://www.howtoforge.com/communit...ertificates-with-ispconfig.83692/#post-400168

It has a bit improved since them, but basically I do what you said: Run acme.sh twice, place both certificates in webroot/ssl and added the two lines in apache config.
And not only Apache, also Postfix and Dovecot support ECC and RSA Keys in parallel.

 

I'll look into that for my own servers.

When ECDSA will be implemented I suggest to let the user choose between Let's Encrypt's RSA, ECDSA or both certificates in ISPConfig's GUI using checkboxes like is done with DNSSEC Algorithm.
Mainly because most users won't have LE ECDSA certificates enrolled yet and maybe don't want to for whatever reason.
And I don't think you should want to enroll LE ECDSA certificates next to existing LE RSA certificates during the upgrade process of ISPConfig. Just let the users enroll LE ECDSA certificates themselves if they want to after they've upgraded their ISPConfig.

 

Its difficult with checkboxes because services do not start up if a certificate is missing. Apache/Nginx use generic templates for all users, so you would need to track which domains have which certificates, etc.. And the certificates need to exist before the config is changed.
Switching from one to the other (for new certificates) might be easier. However, I do not see this feature coming soon

 

How is it difficult? At the moment it's a checkbox too. And templates now too verify the checkbox before activating the corresponding config.

 

If I am not mistaken, last time when I attempted such mods that need to add checkbox in there, modifying and updating database to add the same is necessary, so you may want to ask the developers about it.

Simpler mods that don't require adding the checkbox may work but making it an option seems like a better alternative since ISPConfig administrators may not want to have or use that on their older servers.