كيفية استبدال شهادات Let's Encrypt RSA 4096 بت بشهادات ECC 256 بت؟

RoldanLT · 4 أغسطس 2018، 6:17ص

How to replace Discourse LetsEncrypt Certificate from RSA 4096 bits to ECC 256 bits?

I want this permanent on my install, even after upgrade of discourse, is that possible?

sam · 6 أغسطس 2018، 12:36ص

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

mpalmer · 6 أغسطس 2018، 12:57ص

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

schleifer · 6 أغسطس 2018، 5:38م

That’s an empty set. I’d bet on it.

sam · 6 أغسطس 2018، 9:46م

It is an option you just have to figure out how to write the template and mix it in

RoldanLT · 7 أغسطس 2018، 6:25م

Is it enough by editing line 59 & 63 on this file?
And then rebuild discourse?

github.com/discourse/discourse_docker

templates/web.letsencrypt.ssl.template.yml

master


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

Editing line 59 & 63 on /templates/web.letsencrypt.ssl.template.yml didn’t work.
My code:

Maybe it will work if I force to renew/generate new cert?
What is the command under Discourse?
Thanks!

Falco · 11 مارس 2021، 1:59ص

نفّذ @gerhard هذا في عام 2019

github.com/discourse/discourse_docker

FEATURE: Elliptic Curve certificate (#444)

master ← elliptic_curve

merged 11:02PM - 09 Sep 19 UTC

gschlager

+50 -14

[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends ECDSA (P…-256) as certificate type for intermediate compatibility. > ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11 Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite. It will create two Let's Encrypt certificates: * EC 256 bits (SHA256withRSA) * RSA 4096 bits (SHA256withRSA) Without this change all the ECDSA cipher suites defined in https://github.com/discourse/discourse_docker/blob/12f501764f57c827e497eb6fb88e98f8c3c468e6/templates/web.ssl.template.yml#L22 won't work. With the new certificate all cipher suites will work and browsers like IE11 on Windows 7 and Windows 8 will work too. **Before:** ![](https://user-images.githubusercontent.com/473736/64466317-a8e8f780-d111-11e9-84f1-f7b1dc75e523.png) **After:** ![](https://user-images.githubusercontent.com/473736/64466321-ad151500-d111-11e9-92bf-7c50ef2cd6b1.png)

الموضوع		الردود	مرات العرض
Improvements to web.letsencrypt.ssl.template.yml Development docker , letsencrypt	0	59	25 سبتمبر 2024
Help with SSL/HTTPS with Discourse Installation Support	3	217	3 أبريل 2025
Hit Let's encrypt renewal limit Self-hosting	7	2118	31 يوليو 2020
Let's Encrypte with multiple domains wasn't working for ECC certs Self-hosting	25	406	4 نوفمبر 2024
LetsEncrypt DNS Validation Template Using Cloudflare Self-hosting letsencrypt	1	309	17 أكتوبر 2024

كيفية استبدال شهادات Let's Encrypt RSA 4096 بت بشهادات ECC 256 بت؟

الموضوعات ذات الصلة