From 133709534a0bc853ee93a2315657b59caa67ca0e Mon Sep 17 00:00:00 2001
From: Rafal Rytwinski <42976807+Fufs@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:09:53 +0100
Subject: [PATCH] letsencrypt: Add option to change key type (#3376)

* Add option to change key type

* Make keytype optional

* Update letsencrypt/DOCS.md

Fixed typos and grammar

Co-authored-by: Stefan Agner <stefan@agner.ch>

* Bump version and update changelog

---------

Co-authored-by: Stefan Agner <stefan@agner.ch>
---
 letsencrypt/CHANGELOG.md                      |  4 +++
 letsencrypt/DOCS.md                           | 27 +++++++++++++++++++
 letsencrypt/config.yaml                       |  4 ++-
 .../rootfs/etc/services.d/lets-encrypt/run    |  9 +++++++
 letsencrypt/translations/en.yaml              |  5 ++++
 5 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/letsencrypt/CHANGELOG.md b/letsencrypt/CHANGELOG.md
index 8ef3e75bf83..9883cb921ee 100644
--- a/letsencrypt/CHANGELOG.md
+++ b/letsencrypt/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 5.0.9
+
+- Add option to specify Private Key type
+
 ## 5.0.8
 
 - Add Dreamhost DNS challenge support
diff --git a/letsencrypt/DOCS.md b/letsencrypt/DOCS.md
index f7b02d75673..b0ba9b74088 100644
--- a/letsencrypt/DOCS.md
+++ b/letsencrypt/DOCS.md
@@ -125,6 +125,15 @@ dreamhost_api_key: ''
 
 </details>
 
+<details>
+  <summary>Changing the key type</summary>
+  
+  Starting with Certbot version 2.0.0 (add-on version 5.0.0 and newer), ECDSA keys are now the default. These keys utilize a more secure cryptography algorithm, however, they are not supported everywhere yet. For instance, Tasmota does not support MQTTS with an ECDSA key. If your use case does not support ECDSA keys, you can change them with the `keytype` parameter.
+
+  ```yaml
+  keytype: rsa
+  ``` 
+
 
 ## Example Configurations
 
@@ -161,6 +170,24 @@ dreamhost_api_key: ''
 
 </details>
 
+<details>
+  <summary>RSA key</summary>
+
+  ```yaml
+  email: your.email@example.com
+  domains:
+    - home-assistant.io
+  certfile: fullchain.pem
+  keyfile: privkey.pem
+  keytype: rsa
+  challenge: dns
+  dns:
+    provider: dns-cloudflare
+    cloudflare_email: your.email@example.com
+    cloudflare_api_key: 31242lk3j4ljlfdwsjf0
+  ```
+
+</details>
 
 <details>
   <summary>Azure DNS challenge</summary>
diff --git a/letsencrypt/config.yaml b/letsencrypt/config.yaml
index 7f3bb5d18bf..cbd3698cfff 100644
--- a/letsencrypt/config.yaml
+++ b/letsencrypt/config.yaml
@@ -1,5 +1,5 @@
 ---
-version: 5.0.8
+version: 5.0.9
 slug: letsencrypt
 name: Let's Encrypt
 description: Manage certificate from Let's Encrypt
@@ -20,6 +20,7 @@ options:
   domains:
     - null
   email: null
+  keytype: ecdsa
   keyfile: privkey.pem
   certfile: fullchain.pem
   challenge: http
@@ -30,6 +31,7 @@ schema:
   domains:
     - str
   email: email
+  keytype: list(ecdsa|rsa)?
   keyfile: str
   certfile: str
   challenge: list(dns|http)
diff --git a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
index c741cf9bcc8..9ca8048c668 100755
--- a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
+++ b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
@@ -4,11 +4,13 @@
 # ==============================================================================
 CERT_DIR=/data/letsencrypt
 WORK_DIR=/data/workdir
+KEY_ARGUMENTS=()
 PROVIDER_ARGUMENTS=()
 ACME_CUSTOM_SERVER_ARGUMENTS=()
 
 EMAIL=$(bashio::config 'email')
 DOMAINS=$(bashio::config 'domains')
+KEYTYPE=$(bashio::config 'keytype')
 KEYFILE=$(bashio::config 'keyfile')
 CERTFILE=$(bashio::config 'certfile')
 CHALLENGE=$(bashio::config 'challenge')
@@ -182,6 +184,11 @@ if bashio::config.has_value 'acme_server' ; then
     fi
 fi
 
+# Add key arguments if appropriate config entries exist
+if bashio::config.has_value 'keytype' ; then
+  KEY_ARGUMENTS+=("--key-type" "${KEYTYPE}")
+fi
+
 # Gather all domains into a plaintext file
 DOMAIN_ARR=()
 for line in $DOMAINS; do
@@ -193,12 +200,14 @@ echo "$DOMAINS" > /data/domains.gen
 if [ "$CHALLENGE" == "dns" ]; then
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
+        "${KEY_ARGUMENTS[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
         --preferred-chain "ISRG Root X1"
 else
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
+        "${KEY_ARGUMENTS[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" "${ACME_CUSTOM_SERVER_ARGUMENTS[@]}" --standalone \
         --preferred-chain "ISRG Root X1"
diff --git a/letsencrypt/translations/en.yaml b/letsencrypt/translations/en.yaml
index 1d99b8f8d81..1fd9c2b19cf 100644
--- a/letsencrypt/translations/en.yaml
+++ b/letsencrypt/translations/en.yaml
@@ -8,6 +8,11 @@ configuration:
   email:
     name: Email
     description: The email address that will be registered for the certificate.
+  keytype:
+    name: Private Key type
+    description: >-
+      The cryptographic algorithm to use for the Private Key. If you're unsure
+      which one you need, leave it set to ecdsa.
   keyfile:
     name: Private Key File
     description: Path to where the Private Key File will be placed.