Add option to select algorithm to generate ACME certificates

2018-05-16 11:44:03 +02:00 · 2018-05-16 11:44:03 +02:00 · 68cc826519
commit 68cc826519
parent e691168cdc
12 changed files with 179 additions and 23 deletions
--- a/provider/acme/account.go
+++ b/provider/acme/account.go
@ -15,6 +15,7 @@ type Account struct {
 	Email        string
 	Registration *acme.RegistrationResource
 	PrivateKey   []byte
+	KeyType      acme.KeyType
 }

 const (
@ -23,7 +24,9 @@ const (
 )

 // NewAccount creates an account
-func NewAccount(email string) (*Account, error) {
+func NewAccount(email string, keyTypeValue string) (*Account, error) {
+	keyType := GetKeyType(keyTypeValue)
+
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
@ -33,6 +36,7 @@ func NewAccount(email string) (*Account, error) {
 	return &Account{
 		Email:      email,
 		PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
+		KeyType:    keyType,
 	}, nil
 }

@ -55,3 +59,22 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 	log.Errorf("Cannot unmarshal private key %+v", a.PrivateKey)
 	return nil
 }
+
+// GetKeyType used to determine which algo to used
+func GetKeyType(value string) acme.KeyType {
+	switch value {
+	case "EC256":
+		return acme.EC256
+	case "EC384":
+		return acme.EC384
+	case "RSA2048":
+		return acme.RSA2048
+	case "RSA4096":
+		return acme.RSA4096
+	case "RSA8192":
+		return acme.RSA8192
+	default:
+		log.Warnf("Unable to determine key type value %s. Use %s as default value", value, acme.RSA4096)
+		return acme.RSA4096
+	}
+}
--- a/provider/acme/provider.go
+++ b/provider/acme/provider.go
@ -39,6 +39,7 @@ type Configuration struct {
 	CAServer      string         `description:"CA server to use."`
 	Storage       string         `description:"Storage to use."`
 	EntryPoint    string         `description:"EntryPoint to use."`
+	KeyType       string         `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
 	OnHostRule    bool           `description:"Enable certificate generation on frontends Host rules."`
 	OnDemand      bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
 	DNSChallenge  *DNSChallenge  `description:"Activate DNS-01 Challenge"`
@ -116,7 +117,7 @@ func (p *Provider) init() error {
 func (p *Provider) initAccount() (*Account, error) {
 	if p.account == nil || len(p.account.Email) == 0 {
 		var err error
-		p.account, err = NewAccount(p.Email)
+		p.account, err = NewAccount(p.Email, p.KeyType)
 		if err != nil {
 			return nil, err
 		}
@ -246,7 +247,7 @@ func (p *Provider) getClient() (*acme.Client, error) {
 			caServer = p.CAServer
 		}
 		log.Debugf(caServer)
-		client, err := acme.NewClient(caServer, account, acme.RSA4096)
+		client, err := acme.NewClient(caServer, account, account.KeyType)
 		if err != nil {
 			return nil, err
 		}