Solved EC-384 keys auto renew as DH-4096 instead of EC-384

[patrickkasie]

Is this a case of DA needing to look into it? I don't want to point the finger to them right away, but I'm afraid I have to if I'm not the only one and it happens across 2 different OS-es

Regarding your edit on wednesday: I came here when the situation was already like this regarding the RPKI, although I wish I knew how the colleague before me set up those 2 servers. @Richard G

 

[Richard G]

I just want to come back at this again.
Are we sure this is a Letsencrypt issue which we can report to @fln so by default not DH4096 but ECDHE is used on automatic certificates made by DA?
Because this is odd.

 

[WilfredvdPluijm]

I'm having the same problem right now, so I'm curious how this was resolved. I get the same message on internet.nl under key exchange parameters.

 

[patrickkasie]

I'm having the same problem right now, so I'm curious how this was resolved. I get the same message on internet.nl under key exchange parameters.

It looks that way. However, the way to fix this right now is by manually requesting certificates with EC-384 instead of 4096. I had to check every single domain name with SSL on every single server, some did not have this issue, some did. Requesting it again with EC-384 should fix it now in the future

 

[Stije]

I do not have any troubles with this. But I assume you did request also a new server cert via DirectAdmin right? So make sure you have the new E5/E6 etc. and not the old R3 etc.

 

[Erulezz]

I had to check every single domain name with SSL on every single server,

You can use my plugin to check all domains at once; https://forum.directadmin.com/threads/plugin-for-letsencrypt-domains-overview.65885/

Just had this issue on some domains, not all, where the type was replaced with rsa 256 on renewal and not ec-384 that all domains use for years.

I did not change anything for those domains.. requested new ones with ec-384. Were there changes on latest DA versions that could cause this?

 

[patrickkasie]

I would prefer right now not to look at the plugin to keep things unified on my and my customer's servers, but if this happens again, then I'll have to try it. Thank you for sharing a useful tool like that!

Were there changes on latest DA versions that could cause this?

Yeah it looks that way, but that was a month before my post, because DA refreshes the certificates 30 days before they expire, so it has been patched already at this point. Any renewal now correctly goes with EC 384 and it does actually renew the certificates now