Add support for obtain ECDSA keys (#1667)

* Add support for obtain ECDSA keys

* Replace matrix_ssl_lets_encrypt_use_ecdsa_keys for matrix_ssl_lets_encrypt_key_type
This commit is contained in:
Alejo Diaz 2022-03-03 13:15:39 -03:00 committed by GitHub
parent 35df276487
commit 4ec24ec344
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 22 additions and 1 deletions

View file

@ -100,3 +100,12 @@ For automated certificate renewal to work, each port `80` vhost for each domain
See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf` See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf`
Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
## Specify the SSL private key algorithm
If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this:
```yaml
matrix_ssl_lets_encrypt_key_type: ecdsa
```

View file

@ -489,6 +489,10 @@ matrix_ssl_lets_encrypt_support_email: ~
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
# Specify key type of the private key algorithm.
# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys
matrix_ssl_lets_encrypt_key_type: rsa
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

View file

@ -5,6 +5,11 @@
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail if using unsupported private key type
fail:
msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
# Common tasks, required by almost any method below. # Common tasks, required by almost any method below.

View file

@ -45,6 +45,7 @@
--http-01-port 8080 --http-01-port 8080
{% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--key-type {{ matrix_ssl_lets_encrypt_key_type }}
--standalone --standalone
--preferred-challenges http --preferred-challenges http
--agree-tos --agree-tos
@ -74,6 +75,7 @@
--http-01-port 8080 --http-01-port 8080
{% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
--key-type {{ matrix_ssl_lets_encrypt_key_type }}
--standalone --standalone
--preferred-challenges http --preferred-challenges http
--agree-tos --agree-tos

View file

@ -22,8 +22,9 @@ docker run \
--work-dir=/tmp \ --work-dir=/tmp \
--http-01-port 8080 \ --http-01-port 8080 \
{% if matrix_ssl_lets_encrypt_staging %} {% if matrix_ssl_lets_encrypt_staging %}
--staging \ --staging \
{% endif %} {% endif %}
--key-type {{ matrix_ssl_lets_encrypt_key_type }} \
--standalone \ --standalone \
--preferred-challenges http \ --preferred-challenges http \
--agree-tos \ --agree-tos \