Add support for obtain ECDSA keys (#1667)
* Add support for obtain ECDSA keys * Replace matrix_ssl_lets_encrypt_use_ecdsa_keys for matrix_ssl_lets_encrypt_key_type
This commit is contained in:
		| @@ -100,3 +100,12 @@ For automated certificate renewal to work, each port `80` vhost for each domain | ||||
|  | ||||
| See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf` | ||||
| Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. | ||||
|  | ||||
|  | ||||
| ## Specify the SSL private key algorithm | ||||
|  | ||||
| If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this: | ||||
|  | ||||
| ```yaml | ||||
| matrix_ssl_lets_encrypt_key_type: ecdsa | ||||
| ``` | ||||
|   | ||||
| @@ -489,6 +489,10 @@ matrix_ssl_lets_encrypt_support_email: ~ | ||||
| # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) | ||||
| matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' | ||||
|  | ||||
| # Specify key type of the private key algorithm. | ||||
| # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys | ||||
| matrix_ssl_lets_encrypt_key_type: rsa | ||||
|  | ||||
| matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" | ||||
| matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" | ||||
| matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" | ||||
|   | ||||
| @@ -5,6 +5,11 @@ | ||||
|     msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" | ||||
|   when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" | ||||
|  | ||||
| - name: Fail if using unsupported private key type | ||||
|   fail: | ||||
|     msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value" | ||||
|   when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']" | ||||
|  | ||||
|  | ||||
| # Common tasks, required by almost any method below. | ||||
|  | ||||
|   | ||||
| @@ -45,6 +45,7 @@ | ||||
|     --http-01-port 8080 | ||||
|     {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} | ||||
|     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} | ||||
|     --key-type {{ matrix_ssl_lets_encrypt_key_type }} | ||||
|     --standalone | ||||
|     --preferred-challenges http | ||||
|     --agree-tos | ||||
| @@ -74,6 +75,7 @@ | ||||
|     --http-01-port 8080 | ||||
|     {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} | ||||
|     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} | ||||
|     --key-type {{ matrix_ssl_lets_encrypt_key_type }} | ||||
|     --standalone | ||||
|     --preferred-challenges http | ||||
|     --agree-tos | ||||
|   | ||||
| @@ -22,8 +22,9 @@ docker run \ | ||||
| 		--work-dir=/tmp \ | ||||
| 		--http-01-port 8080 \ | ||||
| 		{% if matrix_ssl_lets_encrypt_staging %} | ||||
| 			--staging \ | ||||
| 		--staging \ | ||||
| 		{% endif %} | ||||
| 		--key-type {{ matrix_ssl_lets_encrypt_key_type }} \ | ||||
| 		--standalone \ | ||||
| 		--preferred-challenges http \ | ||||
| 		--agree-tos \ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user