From fb1f03549c8e9b802a9d790de948bc4b39a75aaf Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Sat, 20 Jul 2024 04:58:12 +0200
Subject: [PATCH] certbot: Use ECDSA (P-256) certificates, not RSA

certbot switched to ECDSA by default about two years ago, following
[recommended practices][1].

We are currently using RSA with 4096 bits, which is extremely slow to
sign. Using ECDSA should give us a nice speedup.

[1]: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
---
 roles/certbot/files/certbot-renewal.service | 8 ++++----
 roles/certificate/defaults/main.yml         | 1 -
 roles/certificate/tasks/main.yml            | 4 ++--
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/roles/certbot/files/certbot-renewal.service b/roles/certbot/files/certbot-renewal.service
index 305777251..b9d584483 100644
--- a/roles/certbot/files/certbot-renewal.service
+++ b/roles/certbot/files/certbot-renewal.service
@@ -3,8 +3,8 @@ Description=Let's Encrypt renewal
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --rsa-key-size 4096 \
-    --no-random-sleep-on-renew \
-    --pre-hook   "/etc/letsencrypt/hook.sh pre"      \
-    --post-hook  "/etc/letsencrypt/hook.sh post"     \
+ExecStart=/usr/bin/certbot renew --key-type ecdsa \
+    --no-random-sleep-on-renew                    \
+    --pre-hook   "/etc/letsencrypt/hook.sh pre"   \
+    --post-hook  "/etc/letsencrypt/hook.sh post"  \
     --renew-hook "/etc/letsencrypt/hook.sh renew"
diff --git a/roles/certificate/defaults/main.yml b/roles/certificate/defaults/main.yml
index 263fa34d3..44aac047c 100644
--- a/roles/certificate/defaults/main.yml
+++ b/roles/certificate/defaults/main.yml
@@ -1,3 +1,2 @@
 certificate_challenge: "HTTP-01"
 certificate_contact_email: "webmaster@archlinux.org"
-certificate_rsa_key_size: 4096
diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml
index 6d6803908..4d76a1418 100644
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
@@ -5,13 +5,13 @@
     # So use Python built-in http.server for the initial certificate issuance
     python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
     trap "jobs -p | xargs --no-run-if-empty kill" EXIT
-    certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
+    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
   args:
     creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
   when: challenge | default(certificate_challenge) == "HTTP-01"
 
 - name: Create ssl cert (DNS-01)
-  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
+  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
   args:
     creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
   when: challenge | default(certificate_challenge) == "DNS-01"
-- 
GitLab