Feature Request - Allow configuration of "key-type" or "Signature Algorithm"

[GoTTi74]

Problem/Motivation

When using an old web-server (e.g. Synology DSM 6.x) the ECC/ECDSA "Signature Algorithm" is not supported. Instead the former RSA standard is required.

Expected behavior

Allow NGINX to configure the default "Signature Algorithm"

Actual behavior

By default, the "signature algorithm" is configured in ./etc/letsencrypt.ini as 'key-type = ecdsa'. When issuing a certificate with this key-type, it can't be used in older versions of Synology DSM (6.x). Instead, Synology will show an error "DSM does not support ECC certificates" when trying to import a certificate managed by Nginx.

Steps to reproduce

To workaround this issue, one must manually update the 'key-type = ecdsa' to 'key-type = rsa' before renewing a certificate required by Synology (e.g. for "Synology Drive Sync").

Proposed changes

The manual workaround is possible but not persistent.
Ideally, one could configure the preferred "key-type" in the AddOn

[averstappen]

I have a similar issue, in my case a printer that doesnt support ecdsa. My prefered solution would be to be able to override the key-type per certificate, so that all other certificates stay at the default.

[mbisax]

My Synology NAS is updated to DSM 7.2.2 and uses the ECDSA certificate from Let's encrypted which is not configurable (I haven't found, exploring the Internet, an easy way as a solution yet).
Meshcentral (in my setup, installed via docker and using the nginx reverse proxy) suffers from the same problem, but opposite: the ECDSA certificate is, in fact, incompatible with meshcentral/meshcmd which uses, instead, the RSA certification.
I hope and wish, like GoTTI74, that Synology makes a change to allow easy configuration to use the preferred certificate of the program that requires it in a form other than ECDSA or RSA.

[GoTTi74]

I hope and wish, like GoTTI74, that Synology makes a change to allow easy configuration to use the preferred certificate of the program that requires it in a form other than ECDSA or RSA.

You must have misunderstood me. My hope is to be able to configure Nginx to either receive an ECDSA or RSA certificate. I'm not expecting that Synology makes a change.

[mbisax]

Thanks for your correction.
However, I believe that what you expect, without an intervention from Synology, is not possible. I tried to change the Proxy-Reverse configuration but, as soon as the service is re-run, the configuration returns to the default. Maybe I made some mistake but that's what happens to me.
In any case, you're right, I misunderstood what you meant: it would be great if it were possible to decide which type of certificate to use.

[GoTTi74]

Correct, I am able to manually change the configuration but as soon as the Docker container is restarted, it’s reverted to the default configuration. Hence the wish to be able to configure the type rather than have the current being static. On Jan 13, 2025, at 09:39, mbisax ***@***.***> wrote: Thanks for your correction. However, I believe that what you expect, without an intervention from Synology, is not possible. I tried to change the Proxy-Reverse configuration but, as soon as the service is re-run, the configuration returns to the default. Maybe I made some mistake but that's what happens to me. In any case, you're right, I misunderstood what you meant: it would be great if it were possible to decide which type of certificate to use. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[github-actions]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[mbisax]

I updated to version 1.1.38 but the result is still the same.
MeshCmd returns with the error Invalid TLS certificate detected as I expected.
I can do nothing but wait for a solution from the meshcentral team since only with an ECDSA certificate (not RSA) is it possible to make the server work on my Synology, for all the reasons I have already explained.

Thanks for the assistance

[GoTTi74]

Hi mbisax

Have you tried a manual workaround configuring your nginx integration to request the certificate key-type to ECDSA?

At least this is my manual "solution" for issuing (legacy) certificates that I can import in my Synology.

In case you need more information on how to do this, let me know.