From 35369edda0d9e968c31c7a49804f2fbc5853f1d0 Mon Sep 17 00:00:00 2001
From: Alejo Diaz <xlejo@protonmail.com>
Date: Thu, 3 Mar 2022 10:12:37 -0300
Subject: [PATCH] Replace matrix_ssl_lets_encrypt_use_ecdsa_keys for
 matrix_ssl_lets_encrypt_key_type

---
 docs/configuring-playbook-ssl-certificates.md               | 6 +++---
 roles/matrix-nginx-proxy/defaults/main.yml                  | 4 ++--
 roles/matrix-nginx-proxy/tasks/ssl/main.yml                 | 5 +++++
 .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml  | 4 ++--
 .../matrix-ssl-lets-encrypt-certificates-renew.j2           | 4 +---
 5 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md
index f78fabffd..eae584e72 100644
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@@ -102,10 +102,10 @@ See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/c
 Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers.
 
 
-## Obtaining SSL certificates with ECDSA private key algorithm
+## Specify the SSL private key algorithm
 
-If you'd like to obtain ECDSA keys by Let's Encrypt, define your own custom configuration like this:
+If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this:
 
 ```yaml
-matrix_ssl_lets_encrypt_use_ecdsa_keys: true
+matrix_ssl_lets_encrypt_key_type: ecdsa
 ```
diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 9e70e912d..4b1810eae 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -489,9 +489,9 @@ matrix_ssl_lets_encrypt_support_email: ~
 # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
 matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
 
-# Get SSL certificates with ECDSA private key algorithm.
+# Specify key type of the private key algorithm.
 # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys
-matrix_ssl_lets_encrypt_use_ecdsa_keys: false
+matrix_ssl_lets_encrypt_key_type: rsa
 
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml
index 6c0608186..6b843c7b6 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml
@@ -5,6 +5,11 @@
     msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
   when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
 
+- name: Fail if using unsupported private key type
+  fail:
+    msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
+  when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
+
 
 # Common tasks, required by almost any method below.
 
diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
index 7f44eaa0a..12a212579 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -45,7 +45,7 @@
     --http-01-port 8080
     {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    {% if matrix_ssl_lets_encrypt_use_ecdsa_keys %}--key-type ecdsa{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
     --standalone
     --preferred-challenges http
     --agree-tos
@@ -75,7 +75,7 @@
     --http-01-port 8080
     {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    {% if matrix_ssl_lets_encrypt_use_ecdsa_keys %}--key-type ecdsa{% endif %}
+    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
     --standalone
     --preferred-challenges http
     --agree-tos
diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
index f8d6c40fa..89113629b 100644
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@@ -24,9 +24,7 @@ docker run \
 		{% if matrix_ssl_lets_encrypt_staging %}
 		--staging \
 		{% endif %}
-		{% if matrix_ssl_lets_encrypt_use_ecdsa_keys %}
-		--key-type ecdsa \
-		{% endif %}
+		--key-type {{ matrix_ssl_lets_encrypt_key_type }} \
 		--standalone \
 		--preferred-challenges http \
 		--agree-tos \