From 336af094eea755c87c23a0a2a855d3b01a9050fe Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Sun, 28 Jul 2024 01:45:38 +0200
Subject: [PATCH] certificate: Allow creating legacy certs

With RSA 4096 instead of ECDSA.
---
 roles/certbot/files/certbot-renewal.service | 2 +-
 roles/certificate/tasks/main.yml            | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/certbot/files/certbot-renewal.service b/roles/certbot/files/certbot-renewal.service
index b9d584483..846b94a5f 100644
--- a/roles/certbot/files/certbot-renewal.service
+++ b/roles/certbot/files/certbot-renewal.service
@@ -3,7 +3,7 @@ Description=Let's Encrypt renewal
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --key-type ecdsa \
+ExecStart=/usr/bin/certbot renew                  \
     --no-random-sleep-on-renew                    \
     --pre-hook   "/etc/letsencrypt/hook.sh pre"   \
     --post-hook  "/etc/letsencrypt/hook.sh post"  \
diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml
index 9a81461c0..c1d3f98f1 100644
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
@@ -5,13 +5,13 @@
     # So use Python built-in http.server for the initial certificate issuance
     python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
     trap "jobs -p | xargs --no-run-if-empty kill" EXIT
-    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
+    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type {{ 'ecdsa' if not (legacy | default(false)) else 'rsa --rsa-key-size 4096' }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
   args:
     creates: '/etc/letsencrypt/live/{{ cert_name | default(domains | first) }}/fullchain.pem'
   when: challenge | default(certificate_challenge) == "HTTP-01"
 
 - name: Create ssl cert (DNS-01) named {{ cert_name | default(domains | first) }}
-  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
+  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type {{ 'ecdsa' if not (legacy | default(false)) else 'rsa --rsa-key-size 4096' }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
   args:
     creates: '/etc/letsencrypt/live/{{ cert_name | default(domains | first) }}/fullchain.pem'
   when: challenge | default(certificate_challenge) == "DNS-01"
-- 
GitLab