Can not change Letsencrypt to 4096

robouden1 · June 22, 2023, 12:09pm

Trying for days to change my Letsencypt key from 2048 to 4096.

I tried change /etc/letsencrypt/cli.in with rsa_key_size = 4096.And renewing the keys. But that did not work. If I try to reissue the new key, I can not change the SSL key size (seems locked to 2048) .

Any suggestions how to do it?

Regards,
Rob Oudendijk

robouden1 · June 23, 2023, 11:30am

This is what I see when I hover over the input field of the SSL size:

Regards,
Rob Oudendijk

robouden1 · June 27, 2023, 7:50am

Still trying to get a 4096 key. But not yet successful.
Anyone can confirm if it is possible to get an 4096 key with Letsencrypt on Virtualmin?

Regards,
rob Oudendijk

jimr1 · June 27, 2023, 2:52pm

dunno what this is, but I guess if you selected the second radio button, after the text (2048), this should allow you to edit that field on whatever panel that is, I don’t recognise it as anything from the virtualmin project so it may be worth asking whoever maintains it

ID10T · June 27, 2023, 3:09pm

Under webmin you get the option to set key size. (clue in first post) I don’t see the other fields above it though in the first post.

EDIT: Those fields come from the ‘cert signing request’ screen, not Let’s Encrypt.

robouden1 · June 27, 2023, 3:39pm

Thanks for the reply. The problem is that I tried it Webin/Webmin Config/, but could not do it. Same issue. Can not change the default. See screenshot below.

ID10T · June 27, 2023, 3:50pm

I clicked on the radio button and entered 4096. That’s as far as i got since I don’t want to actually change it at the moment. I have no commercial sites so I don’t want to add processing overhead.

robouden1 · June 27, 2023, 3:57pm

Thanks for the fast reply. My bad, I could not see the button in dark mode. Got it now!!
Seems to work!!

Dark mode:

Light mode:

Regards,
Rob Oudendijk

ID10T · June 27, 2023, 4:48pm

Then thanks to @jimr1 because he is the one that actually pointed that out.

robouden1 · June 27, 2023, 5:02pm

Button works, I set up (restarted Postfix) but still I get an error. See below for testing the mail server. Seems still using 2048 keys. From https://internet.nl/mail/yr-design.biz/959776/#control-panel-17

Verdict:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

stefan1959 · June 27, 2023, 8:39pm

Did you request a new certificate?
May need this option in Virtualmin if possible.
P.S. Found command line

Joe · June 27, 2023, 10:52pm

That doesn’t have anything to do with the certificate size.

https://www.postfix.org/TLS_README.html#server_cipher

robouden1 · June 28, 2023, 12:11am

Joe,

Thanks for the reply and the link to the postfix site. But it mentioned in the error that:

Technical details:

Mail server (MX)	Affected parameters	Security level
yr-design.biz.	DH-2048	insufficient

Test explanation:

We check if the public parameters used in Diffie-Hellman key exchange by your receiving mail servers (MX) are secure.

Any pointer (except for the very long page on the Postfix website)how I can make it sufficient?

Regards,
Rob

robouden1 · June 28, 2023, 12:13am

Stefan,

Yes I made the request, restarted the server but no change.

Regards,
Rob

stefan1959 · June 28, 2023, 1:43am

My domain fails as well and I send and receive mail just fine. Googled it and it not letsencrypt its a server configuration you should see talk on it on the letsencrypt forums.

system · August 27, 2023, 1:44am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.