Add ECDSA support (#578)

* Add ECDSA support * Add changelog * FIx doc
adferrand · Nov 18, 2021 · 0386e52 · 0386e52
1 parent 9e09e44
commit 0386e52
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 27 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,19 @@
 # Changelog
 
 ## master - CURRENT
+## Added
+* Support ECDSA keys when creating new certificates with the `key_type` string parameter
+  in the certificate section: set to `rsa` to use RSA keys (default if not set) or `ecdsa`
+  to use ECDSA keys. Example:
+  ```yaml
+  profiles:
+  - name: dummy
+    ...
+  certificates:
+  - domains: [example.org]
+    profile: dummy
+    key_type: ecdsa
+  ```
 
 ## 3.14.0 - 12/11/2021
 ### Added

diff --git a/docs/configuration_reference.rst b/docs/configuration_reference.rst
@@ -237,6 +237,7 @@ be defined in each relevant certificate configuration.
       force_renew: false
       follow_cnames: false
       reuse_key: false
+      key_type: ecdsa
 
 ``certificate`` properties
 --------------------------
@@ -301,6 +302,11 @@ be defined in each relevant certificate configuration.
     * *type*: ``boolean``
     * *default*: ``false`` (the private key is never reused for certificate renewal)
 
+``key_type``
+    * Type of key to use when the certificate is generated. Must be ``rsa`` or ``ecdsa``.
+    * *type*: ``string``
+    * *default*: ``rsa`` (a RSA-type key will be used)
+
 
 .. _link: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/src/dnsrobocert/core/certbot.py b/src/dnsrobocert/core/certbot.py
@@ -69,6 +69,7 @@ def certonly(
     domains: Optional[List[str]] = None,
     force_renew: bool = False,
     reuse_key: bool = False,
+    key_type: str = "rsa",
 ):
     if not domains:
         return
@@ -80,6 +81,8 @@ def certonly(
         additional_params.append("--force-renew")
     if reuse_key:
         additional_params.append("--reuse-key")
+    if key_type:
+        additional_params.extend(["--key-type", key_type])
 
     for domain in domains:
         additional_params.append("-d")

diff --git a/src/dnsrobocert/core/main.py b/src/dnsrobocert/core/main.py
@@ -52,6 +52,7 @@ def _process_config(
             domains = certificate["domains"]
             force_renew = certificate.get("force_renew", False)
             reuse_key = certificate.get("reuse_key", False)
+            key_type = certificate.get("key_type", "rsa")
             LOGGER.info(f"Handling the certificate for domain(s): {', '.join(domains)}")
             certbot.certonly(
                 runtime_config_path,
@@ -61,6 +62,7 @@ def _process_config(
                 domains,
                 force_renew=force_renew,
                 reuse_key=reuse_key,
+                key_type=key_type,
             )
         except BaseException as error:
             LOGGER.error(

diff --git a/src/dnsrobocert/schema.yml b/src/dnsrobocert/schema.yml
@@ -127,6 +127,9 @@ properties:
           type: boolean
         reuse_key:
           type: boolean
+        key_type:
+          type: string
+          enum: [rsa, ecdsa]
       required: [domains, profile]
       additionalProperties: false
 additionalProperties: false
diff --git a/test/integration_tests/dnsrobocert_test.py b/test/integration_tests/dnsrobocert_test.py
@@ -165,6 +165,9 @@ def test_it(tmp_path):
   - test1.example.net
   - test2.example.net
   profile: dummy
+  follow_cnames: true
+  reuse_key: true
+  key_type: ecdsa
 """
             )