feat: add support for selecting SSL key type (ECDSA/RSA)

Added the ability to specify the SSL key type (ECDSA or RSA) for each site in the Nginx Proxy Manager. This enhancement is particularly useful for environments with IoT devices that have limitations with specific key types, such as RSA-only support. The implementation includes:

- Backend support for storing and validating the `ssl_key_type` field.
- Swagger schema updated to validate the new input.
- Frontend update to allow users to select the SSL key type via a dropdown menu.

This feature ensures greater flexibility and compatibility in managing SSL certificates for diverse setups.

backend/internal/certificate.js

@@ -832,6 +832,7 @@ const internalCertificate = {
 
 		const cmd = `${certbotCommand} certonly ` +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name "npm-${certificate.id}" ` +
@@ -873,6 +874,7 @@ const internalCertificate = {
 
 		let mainCmd = certbotCommand + ' certonly ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@@ -969,6 +971,7 @@ const internalCertificate = {
 
 		const cmd = certbotCommand + ' renew --force-renewal ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@@ -1002,6 +1005,7 @@ const internalCertificate = {
 
 		let mainCmd = certbotCommand + ' renew --force-renewal ' +
 			`--config "${letsencryptConfig}" ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@@ -1035,6 +1039,7 @@ const internalCertificate = {
 
 		const mainCmd = certbotCommand + ' revoke ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-path '/etc/letsencrypt/live/npm-${certificate.id}/fullchain.pem' ` +

backend/migrations/20241209062244_ssl_key_type.js

@@ -0,0 +1,39 @@
+const migrate_name = 'identifier_for_migrate';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex) {
+
+	logger.info(`[${migrate_name}] Migrating Up...`);
+
+	return knex.schema.alterTable('proxy_host', (table) => {
+		table.enum('ssl_key_type', ['ecdsa', 'rsa']).defaultTo('ecdsa').notNullable();
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' added to table 'proxy_host'`);
+	});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex) {
+	logger.info(`[${migrate_name}] Migrating Down...`);
+
+	return knex.schema.alterTable('proxy_host', (table) => {
+		table.dropColumn('ssl_key_type');
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' removed from table 'proxy_host'`);
+	});
+};

backend/schema/components/proxy-host-object.json

@@ -23,6 +23,7 @@
 		"locations",
 		"hsts_enabled",
 		"hsts_subdomains",
+		"ssl_key_type",
 		"certificate"
 	],
 	"additionalProperties": false,
@@ -149,6 +150,11 @@
 					"$ref": "./access-list-object.json"
 				}
 			]
+		},
+		"ssl_key_type": {
+			"type": "string",
+			"enum": ["ecdsa", "rsa"],
+			"description": "Type of SSL key (either ecdsa or rsa)"
 		}
 	}
 }

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -79,6 +79,9 @@
 						},
 						"locations": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/locations"
+						},
+						"ssl_key_type": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/ssl_key_type"
 						}
 					}
 				}

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -67,6 +67,9 @@
 						},
 						"locations": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/locations"
+						},
+						"ssl_key_type": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/ssl_key_type"
 						}
 					}
 				}

docker/dev/letsencrypt.ini

@@ -1,7 +1,6 @@
 text = True
 non-interactive = True
 webroot-path = /data/letsencrypt-acme-challenge
-key-type = ecdsa
 elliptic-curve = secp384r1
 preferred-chain = ISRG Root X1
 server =

docker/rootfs/etc/letsencrypt.ini

@@ -1,6 +1,5 @@
 text = True
 non-interactive = True
 webroot-path = /data/letsencrypt-acme-challenge
-key-type = ecdsa
 elliptic-curve = secp384r1
 preferred-chain = ISRG Root X1

frontend/js/app/nginx/proxy/form.ejs

@@ -105,6 +105,15 @@
                                 </select>
                             </div>
                         </div>
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('all-hosts', 'ssl-key-type') %></label>
+                                <select name="ssl_key_type" class="form-control custom-select">
+                                    <option value="ecdsa" data-data="{&quot;id&quot;:&quot;ecdsa&quot;}" <%- ssl_key_type == 'ecdsa' ? 'selected' : '' %>>ECDSA</option>
+                                    <option value="rsa" data-data="{&quot;id&quot;:&quot;rsa&quot;}" <%- ssl_key_type == 'rsa' ? 'selected' : '' %>>RSA</option>
+                                </select>
+                            </div>
+                        </div>
                         <div class="col-sm-6 col-md-6">
                             <div class="form-group">
                                 <label class="custom-switch">

frontend/js/i18n/messages.json

@@ -77,6 +77,7 @@
       "block-exploits": "Block Common Exploits",
       "caching-enabled": "Cache Assets",
       "ssl-certificate": "SSL Certificate",
+      "ssl-key-type": "SSL Key Type",
       "none": "None",
       "new-cert": "Request a new SSL Certificate",
       "with-le": "with Let's Encrypt",

frontend/js/models/dead-host.js

@@ -10,6 +10,7 @@ const model = Backbone.Model.extend({
             modified_on:     null,
             domain_names:    [],
             certificate_id:  0,
+						ssl_key_type:    'ecdsa',
             ssl_forced:      false,
             http2_support:   false,
             hsts_enabled:    false,

frontend/js/models/proxy-host.js

@@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
             forward_port:            null,
             access_list_id:          0,
             certificate_id:          0,
+            ssl_key_type:            'ecdsa',
             ssl_forced:              false,
             hsts_enabled:            false,
             hsts_subdomains:         false,

frontend/js/models/redirection-host.js

@@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
             forward_domain_name: '',
             preserve_path:       true,
             certificate_id:      0,
+						ssl_key_type:        'ecdsa',
             ssl_forced:          false,
             hsts_enabled:        false,
             hsts_subdomains:     false,