Add support for custom certificate key types via environment variables

mz2 · mz2 · commit 2154fe57f880 · 2025-09-12T11:24:25.000Z
This change allows users to specify custom key types and elliptic curves
for SSL certificates through CERT_KEY_TYPE and CERT_ELLIPTIC_CURVE
environment variables. This enables support for ECDSA P-256 certificates
and other key types.

When these environment variables are empty or not set, the current
default behavior is preserved, ensuring backward compatibility.

The environment variables are passed as arguments to certbot when
generating or renewing certificates for both HTTP and DNS challenges.
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
@@ -857,6 +857,13 @@ const internalCertificate = {
 			certificate.domain_names.join(','),
 		];
 
+		if (process.env.CERT_KEY_TYPE) {
+			args.push('--key-type', process.env.CERT_KEY_TYPE);
+		}
+		if (process.env.CERT_ELLIPTIC_CURVE) {
+			args.push('--elliptic-curve', process.env.CERT_ELLIPTIC_CURVE);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
 		args.push(...adds.args);
 
@@ -907,6 +914,13 @@ const internalCertificate = {
 			dnsPlugin.full_plugin_name,
 		];
 
+		if (process.env.CERT_KEY_TYPE) {
+			args.push('--key-type', process.env.CERT_KEY_TYPE);
+		}
+		if (process.env.CERT_ELLIPTIC_CURVE) {
+			args.push('--elliptic-curve', process.env.CERT_ELLIPTIC_CURVE);
+		}
+
 		if (hasConfigArg) {
 			args.push(`--${dnsPlugin.full_plugin_name}-credentials`, credentialsLocation);
 		}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -23,7 +23,9 @@ ENV SUPPRESS_NO_CONFIG_WARNING=1 \
 	NPM_BUILD_VERSION="${BUILD_VERSION}" \
 	NPM_BUILD_COMMIT="${BUILD_COMMIT}" \
 	NPM_BUILD_DATE="${BUILD_DATE}" \
-	NODE_OPTIONS="--openssl-legacy-provider"
+	NODE_OPTIONS="--openssl-legacy-provider" \
+	CERT_KEY_TYPE="" \
+	CERT_ELLIPTIC_CURVE=""
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
 	&& apt-get update \
