From: Grant Slater <github@firefishy.com>
Date: Sat, 1 Mar 2025 18:37:18 +0000 (+0000)
Subject: letsencrypt: Add ECDSA key type check to check-certificate
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/090523cd37861bf8a78bf59ed53695eb13c07ad3?ds=inline;hp=--cc

letsencrypt: Add ECDSA key type check to check-certificate
---

090523cd37861bf8a78bf59ed53695eb13c07ad3
diff --git a/cookbooks/letsencrypt/templates/default/check-certificate.erb b/cookbooks/letsencrypt/templates/default/check-certificate.erb
index 8863e9ae8..319072b6b 100644
--- a/cookbooks/letsencrypt/templates/default/check-certificate.erb
+++ b/cookbooks/letsencrypt/templates/default/check-certificate.erb
@@ -33,6 +33,10 @@ if ssl
     puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}"
   end
 
+  unless certificate.public_key.is_a?(OpenSSL::PKey::EC)
+    puts "Certificate #{domains.first} on #{host} does not use ECDSA key type"
+  end
+
   digest = OpenSSL::Digest::SHA1.new
   certificate_id = OpenSSL::OCSP::CertificateId.new(certificate, issuer, digest)
   ocsp_request = OpenSSL::OCSP::Request.new.add_certid(certificate_id)