Join the community today
Become a Member

SSL Letsencrypt Letsencrypt EC 256 bits (SHA256withRSA)

Discussion in 'Domains, DNS, Email & SSL Certificates' started by rdan, Jan 13, 2020.

  1. rdan

    rdan Well-Known Member

    4,942
    1,180
    113
    May 25, 2014
    Ratings:
    +1,789
    Local Time:
    9:03 PM
    Mainline
    10.2
    Domain config generated from menu #2,.
    How to make this EC 256 bits (SHA256withECDSA)? Thanks!
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,502
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,732
    Local Time:
    11:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    see https://centminmod.com/acmetool

    Choice is between creating only ECC 256bit ECDSA SSL certs = Creating Nginx HTTPS Vhost + ECC 256 bit ECDSA SSL Certificates

    or creating both ECC 256bit ECDSA + RSA 2048bit SSL certs which is recommended approach as not all web browser/clients support ECC 256bit ECDSA SSL ciphers. See the manual way of doing dual ECDSA + RSA certs at https://community.centminmod.com/th...-dual-ecdsa-rsa-ssl-certificate-support.7449/

    Or automated way of doing dual ECDSA + RSA SSL certs which is enabled by setting in persistent config file
    /etc/centminmod/custom_config.inc the variable prior to creating Nginx vhost via centmin.sh menu option 2 or 22 or nv command line
    Code (Text):
    DUALCERTS='y'
    
     
  3. rdan

    rdan Well-Known Member

    4,942
    1,180
    113
    May 25, 2014
    Ratings:
    +1,789
    Local Time:
    9:03 PM
    Mainline
    10.2
    I already have this on my config:
    KEYLENGTH='ec-256'

    I don't want DUALCERTS also.

    Thanks Eva!
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,502
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,732
    Local Time:
    11:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    then you're good to go :)
     
  5. rdan

    rdan Well-Known Member

    4,942
    1,180
    113
    May 25, 2014
    Ratings:
    +1,789
    Local Time:
    9:03 PM
    Mainline
    10.2
    But why my Cert is "SHA256withRSA"?
    Not SHA256withECDSA.
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,502
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,732
    Local Time:
    11:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Every centmin.sh menu option has a saved log at /root/centminlogs so when you created nginx vhost via centmin.sh menu option 2, 22 or even nv command line there should be a addvhost nginx log and you can inspect that for clues during acme.sh command related commands to see what key length was used, either -k ec-256 or -k 2048 for rsa

    Ensure you set KEYLENGTH='ec-256' in proper persistent config file /etc/centminmod/custom_config.inc BEFORE you ran centmin.sh menu and not after.

    command would sort logs by ascending date order and filter on keywords nginx and vhost, so your newly added nginx vhost log would be close to the bottom of listing as it's ascending date ordered
    Code (Text):
    ls -lahrt /root/centminlogs | egrep 'nginx|vhost' 
     
  7. rdan

    rdan Well-Known Member

    4,942
    1,180
    113
    May 25, 2014
    Ratings:
    +1,789
    Local Time:
    9:03 PM
    Mainline
    10.2
    Yes it was there since several months ago.

    This was used:
    Code:
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d domain.com -d www.domain.com --days 60 -w /home/nginx/domains/domain.com/public -k ec-256 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-130120-011202.log --log-level 2
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,502
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,732
    Local Time:
    11:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Then it should be ECDSA 256bit SSL cert, as the domain had letsencrypt SSL certs issued before on any other server ? Check the expiry dates to see if it's the same issued cert or if you had issued a letsencrypt SSL cert prior with RSA 2048bit.

    Also where are you checking if it's ECDSA or RSA 2048 ?
     
  9. rdan

    rdan Well-Known Member

    4,942
    1,180
    113
    May 25, 2014
    Ratings:
    +1,789
    Local Time:
    9:03 PM
    Mainline
    10.2
    No Sir.
    Correct Cert:
    Valid from
    Sun, 12 Jan 2020 16:12:31 GMT

    https://www.ssllabs.com/ssltest/
    upload_2020-1-14_10-25-12.png
     
  10. eva2000

    eva2000 Administrator Staff Member

    44,502
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,732
    Local Time:
    11:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Oh i see that is your signature algorithm not SSL cipher. Your SSL cert key = EC 256bit = ECC 256bit = ECDSA 256bit

    SHA256withRSA is due to Letsencrypt intermediate certs still being RSA 2048 bit based and not ECC 256 ECDSA based see Signature Algorithm with SHA256ECDSA

     
    Last edited: Jan 14, 2020