From f1248fe58a2e51a679d033c401e5d8953b04c8da Mon Sep 17 00:00:00 2001 From: Jay Jahns Date: Mon, 11 Nov 2024 11:24:51 -0600 Subject: [PATCH] Allow specification of a key type Letsencrypt allows using a specific key type for certificates. If the user has an internal letsencrypt mechanism, such as Vault Acme, then they have to provide a specific key type as the default is not supported. This change will allow a user to specify a key type and use the lego default in the event that they don't specify it. Partial-Bug: 2087860 Change-Id: I83e618a861b4d51b6a7893f79c50fdfc35228891 --- .../letsencrypt-lego/letsencrypt-certificates.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh index 0d3a5ac2ff..83bdede877 100755 --- a/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh +++ b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh @@ -23,6 +23,7 @@ function obtain_or_renew_certificate { local eab="${8}" local hmac="${9}" local key_id="${10}" + local letsencrypt_key_type="${11:-}" certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g') certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}') @@ -69,6 +70,7 @@ function obtain_or_renew_certificate { log_info "[${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}." mapfile -t cmd_output < <(/opt/lego --email="${mail}" \ + $( [ -n "${letsencrypt_key_type}" ] && echo "--key-type ${letsencrypt_key_type}" ) \ ${certificate_domain_opts} \ --server "${acme_url}" \ --path "/etc/letsencrypt/lego/${certificate_type}/" \ @@ -118,7 +120,7 @@ KEY_ID="NONE" LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log" -VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac: -- "$@") +VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h:k: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh:,eab,kid:,hmac:,key-type: -- "$@") if [[ $? -ne 0 ]]; then exit 1; fi @@ -176,6 +178,10 @@ while [ : ]; do KEY_ID="${2}" shift 2 ;; + -k | --key-type) + LETSENCRYPT_KEY_TYPE="${2}" + shift 2 + ;; --) shift; break ;; @@ -203,12 +209,12 @@ if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..." if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}" - obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} + obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} ${LETSENCRYPT_KEY_TYPE} fi if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}" - obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} + obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} ${EXTERNAL_ACCOUNT_BINDING} ${HMAC} ${KEY_ID} ${LETSENCRYPT_KEY_TYPE} fi else log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."