Como substituir o RSA 4096 bits do Let's Encrypt por ECC 256 bits?

RoldanLT · Agosto 4, 2018, 6:17am

Como substituir o certificado Discourse LetsEncrypt de RSA 4096 bits por ECC 256 bits?

Quero que isso seja permanente na minha instalação, mesmo após a atualização do Discourse. Isso é possível?

sam · Agosto 6, 2018, 12:36am

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

mpalmer · Agosto 6, 2018, 12:57am

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

schleifer · Agosto 6, 2018, 5:38pm

That’s an empty set. I’d bet on it.

sam · Agosto 6, 2018, 9:46pm

It is an option you just have to figure out how to write the template and mix it in

RoldanLT · Agosto 7, 2018, 6:25pm

Basta editar as linhas 59 e 63 deste arquivo?
E depois reconstruir o Discourse?

github.com/discourse/discourse_docker

templates/web.letsencrypt.ssl.template.yml

master


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

Editar as linhas 59 e 63 em /templates/web.letsencrypt.ssl.template.yml não funcionou.
Meu código:

Talvez funcione se eu forçar a renovação/geração de um novo certificado?
Qual é o comando no Discourse?
Obrigado!

Falco · Março 11, 2021, 1:59am

@gerhard implementou isso em 2019

github.com/discourse/discourse_docker

FEATURE: Elliptic Curve certificate (#444)

master ← elliptic_curve

merged 11:02PM - 09 Sep 19 UTC

gschlager

+50 -14

[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends ECDSA (P…-256) as certificate type for intermediate compatibility. > ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11 Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite. It will create two Let's Encrypt certificates: * EC 256 bits (SHA256withRSA) * RSA 4096 bits (SHA256withRSA) Without this change all the ECDSA cipher suites defined in https://github.com/discourse/discourse_docker/blob/12f501764f57c827e497eb6fb88e98f8c3c468e6/templates/web.ssl.template.yml#L22 won't work. With the new certificate all cipher suites will work and browsers like IE11 on Windows 7 and Windows 8 will work too. **Before:** ![](https://user-images.githubusercontent.com/473736/64466317-a8e8f780-d111-11e9-84f1-f7b1dc75e523.png) **After:** ![](https://user-images.githubusercontent.com/473736/64466321-ad151500-d111-11e9-92bf-7c50ef2cd6b1.png)

Tópico		Respostas	Visualizações
Improvements to web.letsencrypt.ssl.template.yml Development docker , letsencrypt	0	59	25 de Setembro de 2024
Help with SSL/HTTPS with Discourse Installation Support	3	217	3 de Abril de 2025
Hit Let's encrypt renewal limit Self-hosting	7	2118	31 de Julho de 2020
Let's Encrypte with multiple domains wasn't working for ECC certs Self-hosting	25	406	4 de Novembro de 2024
LetsEncrypt DNS Validation Template Using Cloudflare Self-hosting letsencrypt	1	309	17 de Outubro de 2024

Como substituir o RSA 4096 bits do Let's Encrypt por ECC 256 bits?

Tópicos relacionados