Certificate Name: katboose.com
Serial Number: 328b7907cd4755cda84ace8401a54bc6d96
Key Type: ECDSA
Domains: katboose.com
Expiry Date: 2023-10-30 14:33:30+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/katboose.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/katboose.com/privkey.pem
certbot 2.6.0
Thank you. Here's what I'd try. (With the caveat that I haven't actually tried this myself.)
First:
certbot reconfigure --cert-name katboose.com --elliptic-curve=secp384r1
That will change your configuration for that certificate to use P-384 for future certificates.
Then, to test it,
certbot renew --cert-name katboose.com --dry-run
Which will try against the staging server.
Assuming that works, you can then:
certbot renew --cert-name katboose.com --force-renewal
Which will replace your certificate with a new one using the new configuration. Note that this is one of the rare times to use --force-renewal, for getting a new certificate even though you already have one. If that doesn't work the way you expect, don't keep using it because you'll start abusing Let's Encrypt's resources and it'll rate limit you.
This worked beautifully, thank you. If I needed to start something new, how do I ensure certbot installs ECDSA 384 instead?
Just add --elliptic-curve=secp384r1 to the certbot command for your new certificate, along the lines of
certbot run -d example.com --elliptic-curve=secp384r1
Or whatever the command is that you're using
There may be a way to add that parameter to all new cert by inserting it in the "global default" [cli.ini] file.
See: User Guide — Certbot 2.6.0 documentation (eff-certbot.readthedocs.io)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.