letsencrypt: Add option to change key type (home-assistant#3376)

* Add option to change key type * Make keytype optional * Update letsencrypt/DOCS.md Fixed typos and grammar Co-authored-by: Stefan Agner <stefan@agner.ch> * Bump version and update changelog --------- Co-authored-by: Stefan Agner <stefan@agner.ch>
moovy2 · Dec 31, 2023 · 1337095 · 1337095
1 parent e6031ff
commit 1337095
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 1 deletion.
diff --git a/letsencrypt/CHANGELOG.md b/letsencrypt/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 5.0.9
+
+- Add option to specify Private Key type
+
 ## 5.0.8
 
 - Add Dreamhost DNS challenge support

diff --git a/letsencrypt/DOCS.md b/letsencrypt/DOCS.md
@@ -125,6 +125,15 @@ dreamhost_api_key: ''
 
 </details>
 
+<details>
+  <summary>Changing the key type</summary>
+
+  Starting with Certbot version 2.0.0 (add-on version 5.0.0 and newer), ECDSA keys are now the default. These keys utilize a more secure cryptography algorithm, however, they are not supported everywhere yet. For instance, Tasmota does not support MQTTS with an ECDSA key. If your use case does not support ECDSA keys, you can change them with the `keytype` parameter.
+
+  ```yaml
+  keytype: rsa
+  ``` 
+
 
 ## Example Configurations
 
@@ -161,6 +170,24 @@ dreamhost_api_key: ''
 
 </details>
 
+<details>
+  <summary>RSA key</summary>
+
+  ```yaml
+  email: your.email@example.com
+  domains:
+    - home-assistant.io
+  certfile: fullchain.pem
+  keyfile: privkey.pem
+  keytype: rsa
+  challenge: dns
+  dns:
+    provider: dns-cloudflare
+    cloudflare_email: your.email@example.com
+    cloudflare_api_key: 31242lk3j4ljlfdwsjf0
+  ```
+
+</details>
 
 <details>
   <summary>Azure DNS challenge</summary>

diff --git a/letsencrypt/config.yaml b/letsencrypt/config.yaml
@@ -1,5 +1,5 @@
 ---
-version: 5.0.8
+version: 5.0.9
 slug: letsencrypt
 name: Let's Encrypt
 description: Manage certificate from Let's Encrypt
@@ -20,6 +20,7 @@ options:
   domains:
     - null
   email: null
+  keytype: ecdsa
   keyfile: privkey.pem
   certfile: fullchain.pem
   challenge: http
@@ -30,6 +31,7 @@ schema:
   domains:
     - str
   email: email
+  keytype: list(ecdsa|rsa)?
   keyfile: str
   certfile: str
   challenge: list(dns|http)

diff --git a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
@@ -4,11 +4,13 @@
 # ==============================================================================
 CERT_DIR=/data/letsencrypt
 WORK_DIR=/data/workdir
+KEY_ARGUMENTS=()
 PROVIDER_ARGUMENTS=()
 ACME_CUSTOM_SERVER_ARGUMENTS=()
 
 EMAIL=$(bashio::config 'email')
 DOMAINS=$(bashio::config 'domains')
+KEYTYPE=$(bashio::config 'keytype')
 KEYFILE=$(bashio::config 'keyfile')
 CERTFILE=$(bashio::config 'certfile')
 CHALLENGE=$(bashio::config 'challenge')
@@ -182,6 +184,11 @@ if bashio::config.has_value 'acme_server' ; then
     fi
 fi
 
+# Add key arguments if appropriate config entries exist
+if bashio::config.has_value 'keytype' ; then
+  KEY_ARGUMENTS+=("--key-type" "${KEYTYPE}")
+fi
+
 # Gather all domains into a plaintext file
 DOMAIN_ARR=()
 for line in $DOMAINS; do
@@ -193,12 +200,14 @@ echo "$DOMAINS" > /data/domains.gen
 if [ "$CHALLENGE" == "dns" ]; then
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
+        "${KEY_ARGUMENTS[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
         --preferred-chain "ISRG Root X1"
 else
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
+        "${KEY_ARGUMENTS[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" "${ACME_CUSTOM_SERVER_ARGUMENTS[@]}" --standalone \
         --preferred-chain "ISRG Root X1"

diff --git a/letsencrypt/translations/en.yaml b/letsencrypt/translations/en.yaml
@@ -8,6 +8,11 @@ configuration:
   email:
     name: Email
     description: The email address that will be registered for the certificate.
+  keytype:
+    name: Private Key type
+    description: >-
+      The cryptographic algorithm to use for the Private Key. If you're unsure
+      which one you need, leave it set to ecdsa.
   keyfile:
     name: Private Key File
     description: Path to where the Private Key File will be placed.