From a38aac4cd336791a2104a74ab8abbef82aabc1c5 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 14 Jan 2021 11:21:32 -0800
Subject: [PATCH] certbot: add a cli.ini file with (commented out) ecdsa certs

Once this becomes useful we should switch the letsencrypt certs we get.
Right now it's not, as the intermediate is the letsencrypt R3, which is
a rsa 2048 bit, so it doesn't help the FUTURE case. Someday they will
switch this to use the X1 cert which will be ECC and it will be useful
to switch.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/letsencrypt/files/cli.ini  |  2 ++
 roles/letsencrypt/tasks/main.yml | 10 ++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 roles/letsencrypt/files/cli.ini

diff --git a/roles/letsencrypt/files/cli.ini b/roles/letsencrypt/files/cli.ini
new file mode 100644
index 0000000000..104092bc1f
--- /dev/null
+++ b/roles/letsencrypt/files/cli.ini
@@ -0,0 +1,2 @@
+#key-type = ecdsa
+#elliptic-curve = secp384r1
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index a25597aa94..14da3aed7c 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -1,3 +1,13 @@
+- name: setup defaults file
+  copy: >
+    dest=/etc/letsencrypt/cli.ini
+    src=cli.ini
+    owner=root
+    group=root
+    mode=0644
+  tags:
+  - letsencrypt
+  
 - name: Generate (or renew) the certificate
   delegate_to: "certgetter01.iad2.fedoraproject.org"
   command: certbot certonly --expand --keep -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}