path: root/config/lacme-certs.conf
diff options
authorGuilhem Moulin <guilhem@fripost.org>2020-11-25 19:58:13 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-11-26 00:16:06 +0100
commit51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 (patch)
treefbda1d3514a83cf92593e4ced677bde2338cc27f /config/lacme-certs.conf
parent77844de56889ab441607086b554b111a3e7b03cf (diff)
Use upstream certicate chain instead of an hardcoded one.upstream/0.7
This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default).
Diffstat (limited to 'config/lacme-certs.conf')
1 files changed, 5 insertions, 6 deletions
diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index dd02f95..232c85b 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -20,8 +20,8 @@
#certificate = /etc/nginx/ssl/srv.pem
-# Where to store the issued certificate, concatenated with the content
-# of the file specified specified with the CAfile option (in PEM format).
+# Where to store the issued certificate along with its chain of trust
+# (in PEM format).
#certificate-chain = /etc/nginx/ssl/srv.chain.pem
@@ -30,11 +30,10 @@
#min-days = 21
-# Path to the issuer's certificate. This is used for certificate-chain
-# and to verify the validity of each issued certificate. Specifying an
-# empty value skip certificate validation.
+# Path to trusted issuer certificates, used for validating each issued
+# certificate. Specifying an empty value skips certificate validation.
-#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
# Subject field of the Certificate Signing Request. This option is
# required.