This issue concerns the ECDSA certificate generation feature provided by #8254. It is about how Certbot should behave when certonly or run command are run to generate a certificate for an existing lineage (either explicitly with --cert-name file or implicitly because of the set of domains required), as described in the design document: https://docs.google.com/document/d/18pr4F4SVim-bSR6izNV5ZYwolnvitTvmP6gqElDdZPU/edit?usp=sharing
Indeed since the default type of key used is RSA if --key-type is not set, we do not want Certbot to silently switch a ECDSA certificate for a RSA, and should in fact expect explicit user approval: passing explicitly the relevant CLI flags.
This will also fix the inverted situation with existing RSA certificates, when/if Certbot switches to ECDSA keys by default.
So, for both certbot certonly and certbot run:
- If
--cert-name is set, --key-type is not, a certificate exists for that lineage, and its type is not the same than the target type computed by Certbot, then an error should be raised, asking the user to set --key-type explicitly.
- If neither
--cert-name and --key-type are set, a certificate with an identical/subset of the requested domains exists, and its type is not the same than the computed target type, an error should be raised, asking the user to set --key-type and --cert-name explicitly.
This issue concerns the ECDSA certificate generation feature provided by #8254. It is about how Certbot should behave when
certonlyorruncommand are run to generate a certificate for an existing lineage (either explicitly with--cert-namefile or implicitly because of the set of domains required), as described in the design document: https://docs.google.com/document/d/18pr4F4SVim-bSR6izNV5ZYwolnvitTvmP6gqElDdZPU/edit?usp=sharingIndeed since the default type of key used is RSA if
--key-typeis not set, we do not want Certbot to silently switch a ECDSA certificate for a RSA, and should in fact expect explicit user approval: passing explicitly the relevant CLI flags.This will also fix the inverted situation with existing RSA certificates, when/if Certbot switches to ECDSA keys by default.
So, for both
certbot certonlyandcertbot run:--cert-nameis set,--key-typeis not, a certificate exists for that lineage, and its type is not the same than the target type computed by Certbot, then an error should be raised, asking the user to set--key-typeexplicitly.--cert-nameand--key-typeare set, a certificate with an identical/subset of the requested domains exists, and its type is not the same than the computed target type, an error should be raised, asking the user to set--key-typeand--cert-nameexplicitly.