Merge pull request #320 from martijndegouw/feature/keytype

Add support for specifying key type ECDSA

Author: kenyon

REFERENCE.md

@@ -77,7 +77,9 @@ The following parameters are available in the `letsencrypt` class:
 * [`agree_tos`](#-letsencrypt--agree_tos)
 * [`unsafe_registration`](#-letsencrypt--unsafe_registration)
 * [`config_dir`](#-letsencrypt--config_dir)
+* [`key_type`](#-letsencrypt--key_type)
 * [`key_size`](#-letsencrypt--key_size)
+* [`elliptic_curve`](#-letsencrypt--elliptic_curve)
 * [`certificates`](#-letsencrypt--certificates)
 * [`renew_pre_hook_commands`](#-letsencrypt--renew_pre_hook_commands)
 * [`renew_post_hook_commands`](#-letsencrypt--renew_post_hook_commands)
@@ -214,6 +216,14 @@ The path to the configuration directory.
 
 Default value: `'/etc/letsencrypt'`
 
+##### <a name="-letsencrypt--key_type"></a>`key_type`
+
+Data type: `Enum['rsa', 'ecdsa']`
+
+Type of private key
+
+Default value: `'rsa'`
+
 ##### <a name="-letsencrypt--key_size"></a>`key_size`
 
 Data type: `Integer[2048]`
@@ -222,6 +232,14 @@ Size for the RSA public key
 
 Default value: `4096`
 
+##### <a name="-letsencrypt--elliptic_curve"></a>`elliptic_curve`
+
+Data type: `String[1]`
+
+The SECG elliptic curve name to use
+
+Default value: `'secp256r1'`
+
 ##### <a name="-letsencrypt--certificates"></a>`certificates`
 
 Data type: `Hash[String[1],Hash]`
@@ -899,7 +917,9 @@ The following parameters are available in the `letsencrypt::certonly` defined ty
 * [`letsencrypt_command`](#-letsencrypt--certonly--letsencrypt_command)
 * [`additional_args`](#-letsencrypt--certonly--additional_args)
 * [`environment`](#-letsencrypt--certonly--environment)
+* [`key_type`](#-letsencrypt--certonly--key_type)
 * [`key_size`](#-letsencrypt--certonly--key_size)
+* [`elliptic_curve`](#-letsencrypt--certonly--elliptic_curve)
 * [`manage_cron`](#-letsencrypt--certonly--manage_cron)
 * [`cron_output`](#-letsencrypt--certonly--cron_output)
 * [`cron_before_command`](#-letsencrypt--certonly--cron_before_command)
@@ -982,6 +1002,14 @@ An optional array of environment variables
 
 Default value: `[]`
 
+##### <a name="-letsencrypt--certonly--key_type"></a>`key_type`
+
+Data type: `Enum['rsa', 'ecdsa']`
+
+Type of private key
+
+Default value: `$letsencrypt::key_type`
+
 ##### <a name="-letsencrypt--certonly--key_size"></a>`key_size`
 
 Data type: `Integer[2048]`
@@ -990,6 +1018,14 @@ Size for the RSA public key
 
 Default value: `$letsencrypt::key_size`
 
+##### <a name="-letsencrypt--certonly--elliptic_curve"></a>`elliptic_curve`
+
+Data type: `String[1]`
+
+The SECG elliptic curve name to use
+
+Default value: `$letsencrypt::elliptic_curve`
+
 ##### <a name="-letsencrypt--certonly--manage_cron"></a>`manage_cron`
 
 Data type: `Boolean`

manifests/certonly.pp

@@ -87,7 +87,9 @@
 # @param letsencrypt_command Command to run letsencrypt
 # @param additional_args An array of additional command line arguments to pass to the `letsencrypt` command.
 # @param environment  An optional array of environment variables
+# @param key_type Type of private key
 # @param key_size Size for the RSA public key
+# @param elliptic_curve The SECG elliptic curve name to use
 # @param manage_cron
 #   Indicating whether or not to schedule cron job for renewal.
 #   Runs daily but only renews if near expiration, e.g. within 10 days.
@@ -128,7 +130,9 @@
   Letsencrypt::Plugin                       $plugin               = 'standalone',
   Array[Stdlib::Unixpath]                   $webroot_paths        = [],
   String[1]                                 $letsencrypt_command  = $letsencrypt::command,
+  Enum['rsa', 'ecdsa']                      $key_type             = $letsencrypt::key_type,
   Integer[2048]                             $key_size             = $letsencrypt::key_size,
+  String[1]                                 $elliptic_curve       = $letsencrypt::elliptic_curve,
   Array[String[1]]                          $additional_args      = [],
   Array[String[1]]                          $environment          = [],
   Boolean                                   $manage_cron          = false,
@@ -153,10 +157,16 @@
   $title_nowc = regsubst($title, '^\*\.', '')
 
   if $ensure == 'present' {
+    if $key_type == 'rsa' {
+      $key_args = "--rsa-key-size ${key_size}"
+    } else {
+      $key_args = "--elliptic-curve ${elliptic_curve}"
+    }
+
     if ($custom_plugin) {
-      $default_args = "--text --agree-tos --non-interactive certonly --rsa-key-size ${key_size}"
+      $default_args = "--text --agree-tos --non-interactive certonly --key-type ${key_type} ${key_args}"
     } else {
-      $default_args = "--text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} -a ${plugin}"
+      $default_args = "--text --agree-tos --non-interactive certonly --key-type ${key_type} ${key_args} -a ${plugin}"
     }
   } else {
     $default_args = '--text --agree-tos --non-interactive delete'

manifests/init.pp

@@ -27,7 +27,9 @@
 # @param agree_tos A flag to agree to the Let's Encrypt Terms of Service.
 # @param unsafe_registration A flag to allow using the 'register-unsafely-without-email' flag.
 # @param config_dir The path to the configuration directory.
+# @param key_type Type of private key
 # @param key_size Size for the RSA public key
+# @param elliptic_curve The SECG elliptic curve name to use
 # @param certificates A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly.
 # @param renew_pre_hook_commands Array of commands to run in a shell before obtaining/renewing any certificates.
 # @param renew_post_hook_commands Array of commands to run in a shell after attempting to obtain/renew certificates.
@@ -80,7 +82,9 @@
   Boolean $manage_install            = true,
   Boolean $agree_tos                 = true,
   Boolean $unsafe_registration       = false,
+  Enum['rsa', 'ecdsa'] $key_type     = 'rsa',
   Integer[2048] $key_size            = 4096,
+  String[1] $elliptic_curve          = 'secp256r1',
   Hash[String[1],Hash] $certificates = {},
   # $renew_* should only be used in letsencrypt::renew (blame rspec)
   Variant[String[1], Array[String[1]]] $renew_pre_hook_commands = [],