Let’s Encrypt and back to RSA keys

1 minute read

A while ago Let’s Encrypt switched over to use more modern, safer and efficient ECDSA private keys algorithm instead of RSA. And made the ECDSA algorithm default. Unfortunately older software versions are unable to use ECDSA private keys and still expect RSA keys instead. And this is a problem when you obtain SSL certificates using updated Letsencrypt version for software which still requires RSA keys.

This happened for me as I am using most up to date version of Nginx Proxy Manager with outdated version of Mailu email server. All of sudden by email server stopped to be accessible and my email clients reported connectivity issues.

Personal notes: My personal notes on how to setup stuff to make it easier to repeat next time.

There is not much information to be found on the internet that would point to a right direction about all sorts of errors I found in log files. So it took me a while to find the culprit and then a solution.

And the solution is to switch back to RSA private keys for Letsencrypt configuration. This is as simple as adding/replacing 2 lines in the /etc/letsencrypt.ini file. Make sure you remove or comment out the following lines:

#key-type = ecdsa
#elliptic-curve = secp384r1

Instead add these lines:

key-type = rsa
rsa-key-size = 4096

I am accessing my email server only through VPN, so the rsa key size does not really matter but if you expose your server to the internet you may want to set a correct key size for a greater security.

And the solution is actually more like a workaround as a correct fix would be upgrading my email server to a more recent version. To make it even more hakish patchowork, I run the Nginx Proxy Manager within a docker which has a hardcoded Letsencrypt settings, so in order to change the ini file you have to get into the docker container and edit the file:

~$ sudo docker ps
CONTAINER ID   IMAGE                                         COMMAND                  CREATED        STATUS                 PORTS     NAMES
1359a541dba5   mattie112/docker-nginx-proxy-manager:latest   "/init"                  25 hours ago   Up 24 hours                      proxy-man

Now run shell within the nginx proxy manager container and edit the file:

~$ sudo docker container exec -it 1359a541dba5 /bin/bash
bash-5.1# vi /etc/letsencrypt.ini 

Unfortunately changes I make are not very permanent and they are all lost after updating nginx proxy manager.