certbot: Use ECDSA (P-256) certificates, not RSA

certbot switched to ECDSA by default about two years ago, following [recommended practices][1]. We are currently using RSA with 4096 bits, which is extremely slow to sign. Using ECDSA should give us a nice speedup. [1]: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

certbot: Use ECDSA (P-256) certificates, not RSA
fb1f0354 · Jan Alexander Steffens (heftig) · 6172c319 · fb1f0354 · fb1f0354 · fb1f0354
Commit fb1f0354 authored 8 months ago by Jan Alexander Steffens (heftig)
--- a/roles/certbot/files/certbot-renewal.service
+++ b/roles/certbot/files/certbot-renewal.service
@@ -3,8 +3,8 @@ Description=Let's Encrypt renewal

 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --rsa-key-size 4096 \
-    --no-random-sleep-on-renew \
-    --pre-hook   "/etc/letsencrypt/hook.sh pre"      \
-    --post-hook  "/etc/letsencrypt/hook.sh post"     \
+ExecStart=/usr/bin/certbot renew --key-type ecdsa \
+    --no-random-sleep-on-renew                    \
+    --pre-hook   "/etc/letsencrypt/hook.sh pre"   \
+    --post-hook  "/etc/letsencrypt/hook.sh post"  \
    --renew-hook "/etc/letsencrypt/hook.sh renew"
--- a/roles/certificate/defaults/main.yml
+++ b/roles/certificate/defaults/main.yml
 certificate_challenge: "HTTP-01"
 certificate_contact_email: "webmaster@archlinux.org"
-certificate_rsa_key_size: 4096
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
@@ -5,13 +5,13 @@
    # So use Python built-in http.server for the initial certificate issuance
    python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
    trap "jobs -p | xargs --no-run-if-empty kill" EXIT
-    certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
+    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
  args:
    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
  when: challenge | default(certificate_challenge) == "HTTP-01"

 - name: Create ssl cert (DNS-01)
-  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
+  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
  args:
    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
  when: challenge | default(certificate_challenge) == "DNS-01"