search

adferrand / dnsrobocert

Orchestrate Certbot and Lexicon together to provide Let's Encrypt TLS certificates validated by DNS challenges
https://dnsrobocert.readthedocs.io
MIT License
554 stars 89 forks source link

[Feature Request-UNTESTED] Add INITIAL support for configurable (RSA) key sizes (2048, 3072, 4096) #1256

Open OdinVex opened 1 month ago

OdinVex commented 1 month ago

Reason: Let's Encrypt states they support 2048, 3072, 4096 bit keys for RSA and it's becoming more common to use something greater than 2048. Let's Encrypt defaults to a key size of 2048 but 3072 and 4096 have been supported for quite a while.

Notes: key_size: 2048 is the default if not specified. Enumeration supports 2048, 3072, 4096.

Concerns: I don't have a setup for compiling a container for GitHub. This is untested. I do not know if specifying --rsa-key-size will interfere with non-RSA certs.

Fixes: #862.

OdinVex commented 1 month ago

WARNING:

ANY key_size changes to pre-existing installations TEMPORARILY require both --new-key to be appended and force_renew to be set to true. THIS ONLY APPLIES when changing key_size. New installations are perfectly alright to start and stay at any key_size. I did not implement that level of handling, so users will get an error about key-size change requiring those.