How to replace Let's Encrypt RSA 4096 bits with ECC 256 bits?


(Dan) #1

How to replace Discourse LetsEncrypt Certificate from RSA 4096 bits to ECC 256 bits?
I want this permanent on my install, even after upgrade of discourse, is that possible?


Mini Onebox Titles do not update on Rebuild HTML due to 24 hour cache
(Sam Saffron) #2

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per https://www.ssl247.com/kb/ssl-certificates/generalinformation/what-is-rsa-dsa-ecc ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.


(Matt Palmer) #3

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.


(Bhanu Sharma) #4

I hope this has nothing to do with the installs where the reverse proxy handles ssl!


(Dan) #5

Additional Info: ECDSA: The digital signature algorithm of a better internet

All Cloudflare powered website under Free Plan are using ECC.

At least maybe give us an option :).


(Andrew Schleifer) #6

That’s an empty set. I’d bet on it. :beers:


(Sam Saffron) #7

It is an option you just have to figure out how to write the template and mix it in


(Dan) #8

(Dan) #9

Is it enough by editing line 59 & 63 on this file?
And then rebuild discourse?


(Dan) #10

Editing line 59 & 63 on /templates/web.letsencrypt.ssl.template.yml didn’t work.
My code:


(Dan) #11

Maybe it will work if I force to renew/generate new cert?
What is the command under Discourse?
Thanks!