ECDSA/ECC certificates

Discussion in 'Feature Requests' started by remkoh, Oct 8, 2021.

  1. remkoh

    remkoh Active Member HowtoForge Supporter

    As ECDSA/ECC certificates are becoming more and more common,
    and both Certbot and Acme.sh support them,
    and both Apache and Nginx support ECDSA and RSA side by side,
    it should become the next standard to enroll and implement both certificate types in websites when 'Let's Encrypt' gets checked within ISPConfig.

    I already use both certificate types side by side on a non-ISPConfig server which works like a charm.
    It shouldn't be to difficult to do the same in ISPConfig.
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  3. remkoh

    remkoh Active Member HowtoForge Supporter

    Just duplicate the lines about the certificate in your webconfig.
    Based on the ssl cipher the client and server agree to use you'll get the ecc or rsa certificate.
    In my case most clients will get ecc because ecdsa ciphers are prefered by the server and older clients will get rsa.

    Here is an example from a nginx webserver I'm using:
    Code:
    # ECDSA certificate
    ssl_certificate "/pathtocerts/domain_ecc/domain.cer";
    ssl_certificate_key "/pathtocerts/domain_ecc/domain.key";
    
    # RSA certificate
    ssl_certificate "/pathtocerts/domain/domain.cer";
    ssl_certificate_key "/pathtocerts/domain/domain.key";
    
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    Apache works about the same way.

    I've read some stories about problems with certificate chains.
    On apache they apparently need to be the same but that shouldn't be an issue as the chain is the same when enrolled by acme.sh or certbot.
    At least when using letsencrypt.
     
    ahrasis likes this.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Thank you for sharing.

    It seems easy enough to be implemented without a need to wait for ISPConfig 3.3, at least if the ISPConfig developers are in agreement.

    I'll check that out and test them before writing the necessary modifications to ISPConfig letsencrypt files on my level.

    By the way, what is the exact command you use to issue the ecdsa/ecc LE certs as that would be useful too in writing the mods.
     
  5. remkoh

    remkoh Active Member HowtoForge Supporter

    It's just a matter of running certbot or acme.sh twice.
    For acme.sh it's as easy as running the command with --keylength 4096 (is ISPConfig's default if I'm not mistaking) for rsa and again for ecdsa with --keylength ec-384 (or another size).
    When using certbot it's --key-type rsa --rsa-key-size 4096 and --key-type ecdsa --elliptic-curve secp384r1

    Regarding certbot you do need to build in a version check I think.
    Ubuntu's default certbot package (which is the distro I use) is way way old!! Version 0.40.0 :(
    Certbot supports ECDSA since version 1.10
    Newer certbot versions are easy to install using snap for example.
    I have no clue about certbot packages in other linux distro's.

    Also the webserver version needs to be modern enough.
    Apache 2.4.8 or above and Nginx 1.11.0 or above.
     
    Steini86 and ahrasis like this.
  6. Steini86

    Steini86 Active Member

    remkoh likes this.
  7. remkoh

    remkoh Active Member HowtoForge Supporter

    I'll look into that for my own servers.

    When ECDSA will be implemented I suggest to let the user choose between Let's Encrypt's RSA, ECDSA or both certificates in ISPConfig's GUI using checkboxes like is done with DNSSEC Algorithm.
    Mainly because most users won't have LE ECDSA certificates enrolled yet and maybe don't want to for whatever reason.
    And I don't think you should want to enroll LE ECDSA certificates next to existing LE RSA certificates during the upgrade process of ISPConfig. Just let the users enroll LE ECDSA certificates themselves if they want to after they've upgraded their ISPConfig.
     
  8. Steini86

    Steini86 Active Member

    Its difficult with checkboxes because services do not start up if a certificate is missing. Apache/Nginx use generic templates for all users, so you would need to track which domains have which certificates, etc.. And the certificates need to exist before the config is changed.
    Switching from one to the other (for new certificates) might be easier. However, I do not see this feature coming soon ;)
     
  9. remkoh

    remkoh Active Member HowtoForge Supporter

    How is it difficult? At the moment it's a checkbox too. And templates now too verify the checkbox before activating the corresponding config.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If I am not mistaken, last time when I attempted such mods that need to add checkbox in there, modifying and updating database to add the same is necessary, so you may want to ask the developers about it.

    Simpler mods that don't require adding the checkbox may work but making it an option seems like a better alternative since ISPConfig administrators may not want to have or use that on their older servers.
     

Share This Page