如何将 Let's Encrypt 的 RSA 4096 位替换为 ECC 256 位？

RoldanLT · 2018 年8 月 4 日 06:17

如何将 Discourse 的 LetsEncrypt 证书从 RSA 4096 位替换为 ECC 256 位？

我希望在我的安装中永久启用此设置，即使在 Discourse 升级后也能保持，这是否可行？

sam · 2018 年8 月 6 日 00:36

@mpalmer does this request make sense to you? Is there anything off with our current certificate config in NGINX?

OK per What is RSA, DSA and ECC? ECC is latest and greatest, so I guess we should at least document how to do this. Not sure.

mpalmer · 2018 年8 月 6 日 00:57

I’m ambivalent on documenting it. The benefits of wholesale replacing an RSA certificate with an ECC one are so niche, and the potential downsides so great, that we’d probably end up with more “I did this thing without considering the consequences AND IT’S ALL YOUR FAULT” topics than “I have a legitimate use case for an ECC cert but can’t figure out how to modify the template to make it happen”.

schleifer · 2018 年8 月 6 日 17:38

That’s an empty set. I’d bet on it.

sam · 2018 年8 月 6 日 21:46

It is an option you just have to figure out how to write the template and mix it in

RoldanLT · 2018 年8 月 7 日 18:25

只编辑该文件的第 59 行和第 63 行就够了吗？
然后重新构建 Discourse？

github.com/discourse/discourse_docker

templates/web.letsencrypt.ssl.template.yml

master


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

编辑 /templates/web.letsencrypt.ssl.template.yml 的第 59 行和第 63 行并未生效。
我的代码：

如果我强制更新/生成新证书，也许能行？
Discourse 下的命令是什么？
谢谢！

Falco · 2021 年3 月 11 日 01:59

@gerhard 于 2019 年实现了这一功能

github.com/discourse/discourse_docker

FEATURE: Elliptic Curve certificate (#444)

master ← elliptic_curve

merged 11:02PM - 09 Sep 19 UTC

gschlager

+50 -14

[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends ECDSA (P…-256) as certificate type for intermediate compatibility. > ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11 Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite. It will create two Let's Encrypt certificates: * EC 256 bits (SHA256withRSA) * RSA 4096 bits (SHA256withRSA) Without this change all the ECDSA cipher suites defined in https://github.com/discourse/discourse_docker/blob/12f501764f57c827e497eb6fb88e98f8c3c468e6/templates/web.ssl.template.yml#L22 won't work. With the new certificate all cipher suites will work and browsers like IE11 on Windows 7 and Windows 8 will work too. **Before:** ![](https://user-images.githubusercontent.com/473736/64466317-a8e8f780-d111-11e9-84f1-f7b1dc75e523.png) **After:** ![](https://user-images.githubusercontent.com/473736/64466321-ad151500-d111-11e9-92bf-7c50ef2cd6b1.png)

话题		回复	浏览量
Improvements to web.letsencrypt.ssl.template.yml Development docker , letsencrypt	0	59	2024 年9 月 25 日
Help with SSL/HTTPS with Discourse Installation Support	3	217	2025 年4 月 3 日
Hit Let's encrypt renewal limit Self-hosting	7	2118	2020 年7 月 31 日
Let's Encrypte with multiple domains wasn't working for ECC certs Self-hosting	25	406	2024 年11 月 4 日
LetsEncrypt DNS Validation Template Using Cloudflare Self-hosting letsencrypt	1	309	2024 年10 月 17 日

如何将 Let's Encrypt 的 RSA 4096 位替换为 ECC 256 位？

相关话题