How to replace Let's Encrypt RSA 4096 bits with ECC 256 bits?

RoldanLT · August 4, 2018, 6:17am

How to replace Discourse LetsEncrypt Certificate from RSA 4096 bits to ECC 256 bits?

I want this permanent on my install, even after upgrade of discourse, is that possible?

sam · August 6, 2018, 12:36am

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

mpalmer · August 6, 2018, 12:57am

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

schleifer · August 6, 2018, 5:38pm

That’s an empty set. I’d bet on it.

sam · August 6, 2018, 9:46pm

It is an option you just have to figure out how to write the template and mix it in

RoldanLT · August 7, 2018, 6:25pm

Is it enough by editing line 59 & 63 on this file?
And then rebuild discourse?

github.com/discourse/discourse_docker

templates/web.letsencrypt.ssl.template.yml

master


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

Editing line 59 & 63 on /templates/web.letsencrypt.ssl.template.yml didn’t work.
My code:

Maybe it will work if I force to renew/generate new cert?
What is the command under Discourse?
Thanks!

Falco · March 11, 2021, 1:59am

@gerhard implemented this back in 2019

github.com/discourse/discourse_docker

FEATURE: Elliptic Curve certificate

master ← elliptic_curve

merged 11:02PM - 09 Sep 19 UTC

gschlager

+50 -14

[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends ECDSA (P…-256) as certificate type for intermediate compatibility. > ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11 Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite. It will create two Let's Encrypt certificates: * EC 256 bits (SHA256withRSA) * RSA 4096 bits (SHA256withRSA) Without this change all the ECDSA cipher suites defined in https://github.com/discourse/discourse_docker/blob/12f501764f57c827e497eb6fb88e98f8c3c468e6/templates/web.ssl.template.yml#L22 won't work. With the new certificate all cipher suites will work and browsers like IE11 on Windows 7 and Windows 8 will work too. **Before:** ![](https://user-images.githubusercontent.com/473736/64466317-a8e8f780-d111-11e9-84f1-f7b1dc75e523.png) **After:** ![](https://user-images.githubusercontent.com/473736/64466321-ad151500-d111-11e9-92bf-7c50ef2cd6b1.png)

Topic		Replies	Views
Improvements to web.letsencrypt.ssl.template.yml Development docker , letsencrypt	0	59	September 25, 2024
Help with SSL/HTTPS with Discourse Installation Support	3	217	April 3, 2025
Hit Let's encrypt renewal limit Self-hosting	7	2118	July 31, 2020
Let's Encrypte with multiple domains wasn't working for ECC certs Self-hosting	25	406	November 4, 2024
LetsEncrypt DNS Validation Template Using Cloudflare Self-hosting letsencrypt	1	309	October 17, 2024

How to replace Let's Encrypt RSA 4096 bits with ECC 256 bits?

Related topics