kobit

kobit

Passionate software developer for work and for fun.

Let’s Encrypt and back to RSA keys

1 minute read

A while ago Let’s Encrypt switched over to use more modern, safer and efficient ECDSA private keys algorithm instead of RSA. And made the ECDSA algorithm default. Unfortunately older software versions are unable to use ECDSA private keys and still expect RSA keys instead. And this is a problem when you obtain SSL certificates using updated Letsencrypt version for software which still requires RSA keys.

This happened for me as I am using most up to date version of Nginx Proxy Manager with outdated version of Mailu email server. All of sudden by email server stopped to be accessible and my email clients reported connectivity issues.

Personal notes: My personal notes on how to setup stuff to make it easier to repeat next time.

There is not much information to be found on the internet that would point to a right direction about all sorts of errors I found in log files. So it took me a while to find the culprit and then a solution.

And the solution is to switch back to RSA private keys for Letsencrypt configuration. This is as simple as adding/replacing 2 lines in the /etc/letsencrypt.ini file. Make sure you remove or comment out the following lines:

#key-type = ecdsa
#elliptic-curve = secp384r1

Instead add these lines:

key-type = rsa
rsa-key-size = 4096

I am accessing my email server only through VPN, so the rsa key size does not really matter but if you expose your server to the internet you may want to set a correct key size for a greater security.

And the solution is actually more like a workaround as a correct fix would be upgrading my email server to a more recent version. To make it even more hakish patchowork, I run the Nginx Proxy Manager within a docker which has a hardcoded Letsencrypt settings, so in order to change the ini file you have to get into the docker container and edit the file:

~$ sudo docker ps
CONTAINER ID   IMAGE                                         COMMAND                  CREATED        STATUS                 PORTS     NAMES
1359a541dba5   mattie112/docker-nginx-proxy-manager:latest   "/init"                  25 hours ago   Up 24 hours                      proxy-man

Now run shell within the nginx proxy manager container and edit the file:

~$ sudo docker container exec -it 1359a541dba5 /bin/bash
bash-5.1# vi /etc/letsencrypt.ini

Unfortunately changes I make are not very permanent and they are all lost after updating nginx proxy manager.

You may also enjoy

Structure needs cleaning error fix

1 minute read

I have recently experienced an error in my k8s setup “Relabel failed… structure needs cleaning”. As a result one of the k8s container/pod failed to start. ...

VIM tab settings for yaml files

less than 1 minute read

Simple vim configuration adjustments to make it work better with yaml files. Personal notes: My personal notes on how to setup stuff to make it easier to re...

IMAP Accounts Migration

4 minute read

When you move your email account around, either between different hosting providers or to/from self-hosted system, you usually want to take your mailbox with...

Kubernetes dashboard on k8s cluster

7 minute read

“Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troublesh...