[root@server3 exim]# da config-set ecc_certificates 0 does not seem to work

[mejay]

I run:

da config-set ecc_certificates 0
service directadmin restart
/usr/local/directadmin/scripts/letsencrypt.sh server_cert

And it shows

exec ["/usr/local/bin/lego" "--accept-tos" "--email=****@****.***" "--key-type=ec256" "--server=https://acme-v02.api.letsencrypt.org/directory"

I thought that the ecc_certificates=0 setting was supposed to make the certificate generation use RSA keys instead of ECC, but this is not happening.

 

[zEitEr]

Hello,

In order to make certificates generation use RSA keys instead of ECC, you might try to change the following option acme_server_cert_key_type. It effects at least certificate generation for a hostname.

da config-set acme_server_cert_key_type rsa4096 --restart

Related:

- https://docs.directadmin.com/direct...directadmin-conf-values.html#ecc-certificates
- https://docs.directadmin.com/direct...in-conf-values.html#acme-server-cert-key-type

 

[mejay]

That option was already set that way, so I didn't change it. However, I used the manual keytype at the end of this command:

/usr/local/directadmin/scripts/letsencrypt.sh server_cert

like this:

Usage:
 /usr/local/directadmin/scripts/letsencrypt.sh server_cert [<domain>] [<key-type>]

And, that worked, and it seems to stay that way, because now when I run:

/usr/local/directadmin/scripts/letsencrypt.sh server_cert

it gets a new RSA cert.

 

[zEitEr]

/usr/local/directadmin/scripts/letsencrypt.sh server_cert

The command will always make a certificate renewal reuse the same key type as previously created. If you want to create a certificate with another key type you will need to specify a new key type/size in the command, just the way you did it.