aboutsummaryrefslogtreecommitdiffstats
path: root/client
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-11-25 19:58:13 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-11-26 00:16:06 +0100
commit51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 (patch)
treefbda1d3514a83cf92593e4ced677bde2338cc27f /client
parent77844de56889ab441607086b554b111a3e7b03cf (diff)
Use upstream certicate chain instead of an hardcoded one.upstream/0.7
This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
Diffstat (limited to 'client')
-rwxr-xr-xclient15
1 files changed, 1 insertions, 14 deletions
diff --git a/client b/client
index b59c013..bacd4d6 100755
--- a/client
+++ b/client
@@ -361,20 +361,7 @@ elsif ($COMMAND eq 'newOrder') {
die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout;
sleep $retry_after;
}
-
- # keep only the leaf certificate
- pipe my $rd, my $wd or die "Can't pipe: $!";
- my $pid = fork // die "Can't fork: $!";
- unless ($pid) {
- open STDIN, '<&', $rd or die "Can't dup: $!";
- exec qw/openssl x509 -outform PEM/ or die;
- }
- $rd->close() or die "Can't close: $!";
- $wd->print( $r->decoded_content() );
- $wd->close() or die "Can't close: $!";
-
- waitpid $pid => 0;
- die $? if $? > 0;
+ print $r->decoded_content();
}