How to replace Let's Encrypt RSA 4096 bits with ECC 256 bits?

How to replace Discourse LetsEncrypt Certificate from RSA 4096 bits to ECC 256 bits?

I want this permanent on my install, even after upgrade of discourse, is that possible?

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

4 Likes

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

3 Likes

That’s an empty set. I’d bet on it. :beers:

3 Likes

It is an option you just have to figure out how to write the template and mix it in

Is it enough by editing line 59 & 63 on this file?
And then rebuild discourse?
https://github.com/discourse/discourse_docker/blob/master/templates/web.letsencrypt.ssl.template.yml#L59

Editing line 59 & 63 on /templates/web.letsencrypt.ssl.template.yml didn’t work.
My code:

Maybe it will work if I force to renew/generate new cert?
What is the command under Discourse?
Thanks!

@gerhard implemented this back in 2019

https://github.com/discourse/discourse_docker/pull/444

3 Likes