lacme/certs, branch debian/0.8.1-1

Add certs/letsencryptauthorityx[12].pem

2021-02-15T00:31:29+00:00

Add (self-signed) ISRG Roots to the CA bundle.

2021-02-15T00:31:27+00:00

This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.

Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.

Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.

This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).

Use upstream certicate chain instead of an hardcoded one.

2020-11-25T23:16:06+00:00

This is a breaking change.  The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead.  This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).

Move X.509 certs to a separate directory.

2016-06-14T01:24:47+00:00