From 048e6c13aeab4d31c3eaefd8d0dd6f2a2ba14269 Mon Sep 17 00:00:00 2001
From: Christian Schneider <chrschn@sec.in.tum.de>
Date: Sun, 29 Mar 2020 22:36:26 +0200
Subject: [PATCH] Fix renewal of ECC/ECDSA certificates.

The ACME v2 implementation uses separate directoies for ECC and on-ECC
certificates. The renew command for a domain checks if an ECC directory
exists (having a "_ecc" suffix) and refuses the command unless the
"--ecc" flag was specified.

Confusingly, this flag is only required to *renew* an ECC certificate,
but not to issue it.

This fixes https://github.com/Froxlor/Froxlor/issues/820.
---
 lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
index 2515783a..7b8cbcae 100644
--- a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
+++ b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
@@ -327,6 +327,9 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
 			}
 			if (Settings::Get('system.leecc') > 0) {
 				$acmesh_cmd .= " --keylength ec-" . Settings::Get('system.leecc');
+				if ($cert_mode != 'issue') {
+					$acmesh_cmd .= " --ecc";
+				}
 			} else {
 				$acmesh_cmd .= " --keylength " . Settings::Get('system.letsencryptkeysize');
 			}