remove elliptic-curve from certbot command options

Revert "add elliptic-curve"
This reverts commit 95a94a4f8c.
2025-06-19 10:36:26 +00:00 · 2024-12-12 01:49:57 +03:30 · 2024-12-12 01:49:19 +03:30 · 2024-12-12 01:15:39 +03:30 · 2024-12-12 00:46:14 +03:30 · 2024-12-11 23:31:39 +03:30
15 changed files with 113 additions and 5 deletions
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@ -570,6 +570,7 @@ const internalCertificate = {
 		return internalCertificate.create(access, {
 			provider:     'letsencrypt',
 			domain_names: data.domain_names,
+			ssl_key_type: data.ssl_key_type,
 			meta:         data.meta
 		});
 	},
@ -832,6 +833,7 @@ const internalCertificate = {

 		const cmd = `${certbotCommand} certonly ` +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name "npm-${certificate.id}" ` +
@ -873,6 +875,7 @@ const internalCertificate = {

 		let mainCmd = certbotCommand + ' certonly ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@ -969,6 +972,7 @@ const internalCertificate = {

 		const cmd = certbotCommand + ' renew --force-renewal ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@ -1002,6 +1006,7 @@ const internalCertificate = {

 		let mainCmd = certbotCommand + ' renew --force-renewal ' +
 			`--config "${letsencryptConfig}" ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-name 'npm-${certificate.id}' ` +
@ -1032,9 +1037,10 @@ const internalCertificate = {
 	 */
 	revokeLetsEncryptSsl: (certificate, throw_errors) => {
 		logger.info('Revoking Let\'sEncrypt certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
-
+		
 		const mainCmd = certbotCommand + ' revoke ' +
 			`--config '${letsencryptConfig}' ` +
+			`--key-type '${certificate.ssl_key_type}' ` +
 			'--work-dir "/tmp/letsencrypt-lib" ' +
 			'--logs-dir "/tmp/letsencrypt-log" ' +
 			`--cert-path '/etc/letsencrypt/live/npm-${certificate.id}/fullchain.pem' ` +
--- a/backend/internal/proxy-host.js
+++ b/backend/internal/proxy-host.js
@ -152,6 +152,7 @@ const internalProxyHost = {
 				if (create_certificate) {
 					return internalCertificate.createQuickCertificate(access, {
 						domain_names: data.domain_names || row.domain_names,
+						ssl_key_type: data.ssl_key_type || row.ssl_key_type,
 						meta:         _.assign({}, row.meta, data.meta)
 					})
 						.then((cert) => {
--- a/backend/migrations/20241209062244_ssl_key_type.js
+++ b/backend/migrations/20241209062244_ssl_key_type.js
@ -0,0 +1,39 @@
+const migrate_name = 'identifier_for_migrate';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex) {
+
+	logger.info(`[${migrate_name}] Migrating Up...`);
+
+	return knex.schema.alterTable('proxy_host', (table) => {
+		table.enum('ssl_key_type', ['ecdsa', 'rsa']).defaultTo('ecdsa').notNullable();
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' added to table 'proxy_host'`);
+	});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex) {
+	logger.info(`[${migrate_name}] Migrating Down...`);
+
+	return knex.schema.alterTable('proxy_host', (table) => {
+		table.dropColumn('ssl_key_type');
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' removed from table 'proxy_host'`);
+	});
+};
--- a/backend/migrations/20241211081223_ssl_key_type_in_proxy.js
+++ b/backend/migrations/20241211081223_ssl_key_type_in_proxy.js
@ -0,0 +1,39 @@
+const migrate_name = 'identifier_for_migrate';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex) {
+
+	logger.info(`[${migrate_name}] Migrating Up...`);
+
+	return knex.schema.alterTable('certificate', (table) => {
+		table.enum('ssl_key_type', ['ecdsa', 'rsa']).defaultTo('ecdsa').notNullable();
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' added to table 'proxy_host'`);
+	});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex) {
+	logger.info(`[${migrate_name}] Migrating Down...`);
+
+	return knex.schema.alterTable('certificate', (table) => {
+		table.dropColumn('ssl_key_type');
+	}).then(() => {
+		logger.info(`[${migrate_name}] Column 'ssl_key_type' removed from table 'proxy_host'`);
+	});
+};
--- a/backend/schema/components/proxy-host-object.json
+++ b/backend/schema/components/proxy-host-object.json
@ -23,6 +23,7 @@
 		"locations",
 		"hsts_enabled",
 		"hsts_subdomains",
+		"ssl_key_type",
 		"certificate"
 	],
 	"additionalProperties": false,
@ -149,6 +150,11 @@
 					"$ref": "./access-list-object.json"
 				}
 			]
+		},
+		"ssl_key_type": {
+			"type": "string",
+			"enum": ["ecdsa", "rsa"],
+			"description": "Type of SSL key (either ecdsa or rsa)"
 		}
 	}
 }
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
@ -79,6 +79,9 @@
 						},
 						"locations": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/locations"
+						},
+						"ssl_key_type": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/ssl_key_type"
 						}
 					}
 				}
--- a/backend/schema/paths/nginx/proxy-hosts/post.json
+++ b/backend/schema/paths/nginx/proxy-hosts/post.json
@ -67,6 +67,9 @@
 						},
 						"locations": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/locations"
+						},
+						"ssl_key_type": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/ssl_key_type"
 						}
 					}
 				}
--- a/docker/dev/letsencrypt.ini
+++ b/docker/dev/letsencrypt.ini
@ -1,7 +1,5 @@
 text = True
 non-interactive = True
 webroot-path = /data/letsencrypt-acme-challenge
-key-type = ecdsa
-elliptic-curve = secp384r1
 preferred-chain = ISRG Root X1
 server =
--- a/docker/rootfs/etc/letsencrypt.ini
+++ b/docker/rootfs/etc/letsencrypt.ini
@ -1,6 +1,5 @@
 text = True
 non-interactive = True
 webroot-path = /data/letsencrypt-acme-challenge
-key-type = ecdsa
 elliptic-curve = secp384r1
 preferred-chain = ISRG Root X1
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@ -3,5 +3,6 @@ ssl_session_cache shared:SSL:50m;

 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:RSA-AES256-CBC-SHA256";
 ssl_prefer_server_ciphers off;
+ssl_ecdh_curve X25519:prime256v1:secp384r1;
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@ -105,6 +105,15 @@
                                </select>
                            </div>
                        </div>
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('all-hosts', 'ssl-key-type') %></label>
+                                <select name="ssl_key_type" class="form-control custom-select">
+                                    <option value="ecdsa" data-data="{&quot;id&quot;:&quot;ecdsa&quot;}" <%- ssl_key_type == 'ecdsa' ? 'selected' : '' %>>ECDSA</option>
+                                    <option value="rsa" data-data="{&quot;id&quot;:&quot;rsa&quot;}" <%- ssl_key_type == 'rsa' ? 'selected' : '' %>>RSA</option>
+                                </select>
+                            </div>
+                        </div>
                        <div class="col-sm-6 col-md-6">
                            <div class="form-group">
                                <label class="custom-switch">
--- a/frontend/js/i18n/messages.json
+++ b/frontend/js/i18n/messages.json
@ -77,6 +77,7 @@
      "block-exploits": "Block Common Exploits",
      "caching-enabled": "Cache Assets",
      "ssl-certificate": "SSL Certificate",
+      "ssl-key-type": "SSL Key Type",
      "none": "None",
      "new-cert": "Request a new SSL Certificate",
      "with-le": "with Let's Encrypt",
--- a/frontend/js/models/dead-host.js
+++ b/frontend/js/models/dead-host.js
@ -10,6 +10,7 @@ const model = Backbone.Model.extend({
            modified_on:     null,
            domain_names:    [],
            certificate_id:  0,
+            ssl_key_type:    'ecdsa',
            ssl_forced:      false,
            http2_support:   false,
            hsts_enabled:    false,
--- a/frontend/js/models/proxy-host.js
+++ b/frontend/js/models/proxy-host.js
@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
            forward_port:            null,
            access_list_id:          0,
            certificate_id:          0,
+            ssl_key_type:            'ecdsa',
            ssl_forced:              false,
            hsts_enabled:            false,
            hsts_subdomains:         false,
--- a/frontend/js/models/redirection-host.js
+++ b/frontend/js/models/redirection-host.js
@ -14,6 +14,7 @@ const model = Backbone.Model.extend({
            forward_domain_name: '',
            preserve_path:       true,
            certificate_id:      0,
+            ssl_key_type:        'ecdsa',
            ssl_forced:          false,
            hsts_enabled:        false,
            hsts_subdomains:     false,
Author	SHA1	Message	Date
milad nazari	04b3608b4e	remove elliptic-curve from certbot command options	2024-12-12 01:49:57 +03:30
milad nazari	111fc287eb	Revert "add elliptic-curve" This reverts commit `95a94a4f8c`.	2024-12-12 01:49:19 +03:30
milad nazari	95a94a4f8c	add elliptic-curve	2024-12-12 01:15:39 +03:30
milad nazari	5e7b69c396	add update cipher suites	2024-12-12 00:46:14 +03:30
milad nazari	2723de24fd	add ssl_ecdh_curve for more compatibility	2024-12-11 23:31:39 +03:30
milad nazari	891877afb6	fix ssl key-type certificate	2024-12-11 11:51:58 +03:30
milad nazari	8e9e033a72	fix indent: tab to space	2024-12-09 11:30:10 +03:30
milad nazari	e6ec74c2f7	feat: add support for selecting SSL key type (ECDSA/RSA) Added the ability to specify the SSL key type (ECDSA or RSA) for each site in the Nginx Proxy Manager. This enhancement is particularly useful for environments with IoT devices that have limitations with specific key types, such as RSA-only support. The implementation includes: - Backend support for storing and validating the `ssl_key_type` field. - Swagger schema updated to validate the new input. - Frontend update to allow users to select the SSL key type via a dropdown menu. This feature ensures greater flexibility and compatibility in managing SSL certificates for diverse setups.	2024-12-09 11:27:52 +03:30