IPfire fails PCI scan due to self signed cert


I installed Dehydrate on IPFire core 170 so I could pass the PCI scan. LetsEncrypt works with dns-01 but the PCI scan says the IPFire cert is self signed.

I guess I missed something along the way.
What are the steps to finish this?
BTW I have a couple of CPA clients will be needing this pretty soon.

1 Like


apologies for the belated response.

This is true: IPFire’s web interface comes with a self-signed certificate, unless you manually replace it with a certificate that fits your demands, such as being issued by a trusted CA.

We cannot do so by default, since it is not guaranteed that an IPFire installation has internet access, and meets other requirements for successfully obtaining a trusted certificate. Therefore, we unfortunately have to stick with self-signed certificates by default.

Sorry to disappoint, and best regards,
Peter Müller



No worries. I ended up symlinking the server cert files to the Lets Encrypt files and commenting out server-ecdsa in httpd.conf because I don’t know what server-ecdsa is. Can I symlink those to the same Lets Encrypt cert files?
I passed the PCI scan so I have some time to figure this out before the next go round.

There are two sorts of key types for the ssl/tls certificates used for https. The server files are based on rsa and the server-ecdsa are based on ecdsa obviously.

This link gives some explanation on the difference between rsa and ecdsa but there are many other references for this.

You could link it but then you would just have server-ecdsa linked to a rsa certificate which doesn’t do anything additional and might confuse in the future.

Most https sites will work with both rsa and ecdsa based certificates. In the past there were more sites that were not using ecdsa but only rsa but ecdsa has spread out a lot now. There may even be some that now only use ecdsa and not rsa but probably those would still be the minority.

I suspect that most of the url’s that IPFire accesses will be working with rsa and ecdsa with no problems.

If you want to also have the ecdsa version then you would need to get an ecdsa certificate from Lets Encrypt. The default certificate provided by Lets Encrypt, if you don’t specify any specific type in the certbot command, is rsa. To get ecdsa you have to specify it as per the Lets Encrypt certbot documentation.
Just read part of that documentation and it says that from certbot 2.0.0 onwards ecdsa will be the default key type and you will have to specify rsa to get a certificate with that key type.

You have to create two separate certificates, one for rsa and one for ecdsa but any renewal should occur for both as they will have the same domain name.

Hope this helps.

As you are using dehydrated to get the certificates I checked the documentation for that and it says

Elliptic Curve Cryptography (ECC)

This script also supports certificates with Elliptic Curve public keys! Simply set the KEY_ALGO variable in one of the config files.

ECC is just an alternative name to ECDSA. They both refer to the same thing.
So you can get both rsa and ecdsa based certificates via dehydrated.


Thank you. This has been quite the educational moment for me.

I can mark it solved.
Thanks again.

1 Like