From 2154fe57f8804de45a6eef322a218a011939c455 Mon Sep 17 00:00:00 2001
From: Matias Piipari <matias.piipari@gmail.com>
Date: Fri, 12 Sep 2025 11:16:46 +0000
Subject: [PATCH] Add support for custom certificate key types via environment
 variables

This change allows users to specify custom key types and elliptic curves
for SSL certificates through CERT_KEY_TYPE and CERT_ELLIPTIC_CURVE
environment variables. This enables support for ECDSA P-256 certificates
and other key types.

When these environment variables are empty or not set, the current
default behavior is preserved, ensuring backward compatibility.

The environment variables are passed as arguments to certbot when
generating or renewing certificates for both HTTP and DNS challenges.
---
 backend/internal/certificate.js | 14 ++++++++++++++
 docker/Dockerfile               |  4 +++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
index 55e74c3e7..35ae29516 100644
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -857,6 +857,13 @@ const internalCertificate = {
 			certificate.domain_names.join(','),
 		];
 
+		if (process.env.CERT_KEY_TYPE) {
+			args.push('--key-type', process.env.CERT_KEY_TYPE);
+		}
+		if (process.env.CERT_ELLIPTIC_CURVE) {
+			args.push('--elliptic-curve', process.env.CERT_ELLIPTIC_CURVE);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
 		args.push(...adds.args);
 
@@ -907,6 +914,13 @@ const internalCertificate = {
 			dnsPlugin.full_plugin_name,
 		];
 
+		if (process.env.CERT_KEY_TYPE) {
+			args.push('--key-type', process.env.CERT_KEY_TYPE);
+		}
+		if (process.env.CERT_ELLIPTIC_CURVE) {
+			args.push('--elliptic-curve', process.env.CERT_ELLIPTIC_CURVE);
+		}
+
 		if (hasConfigArg) {
 			args.push(`--${dnsPlugin.full_plugin_name}-credentials`, credentialsLocation);
 		}
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 0603e2ded..58782d6df 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -23,7 +23,9 @@ ENV SUPPRESS_NO_CONFIG_WARNING=1 \
 	NPM_BUILD_VERSION="${BUILD_VERSION}" \
 	NPM_BUILD_COMMIT="${BUILD_COMMIT}" \
 	NPM_BUILD_DATE="${BUILD_DATE}" \
-	NODE_OPTIONS="--openssl-legacy-provider"
+	NODE_OPTIONS="--openssl-legacy-provider" \
+	CERT_KEY_TYPE="" \
+	CERT_ELLIPTIC_CURVE=""
 
 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \
 	&& apt-get update \