Use upstream certicate chain instead of an hardcoded one.upstream/0.7

This is a breaking change.  The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead.  This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).

1 files changed, 5 insertions, 6 deletions

diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf
index dd02f95..232c85b 100644
--- a/config/lacme-certs.conf
+++ b/config/lacme-certs.conf
@@ -20,8 +20,8 @@
 #
 #certificate = /etc/nginx/ssl/srv.pem
 
-# Where to store the issued certificate, concatenated with the content
-# of the file specified specified with the CAfile option (in PEM format).
+# Where to store the issued certificate along with its chain of trust
+# (in PEM format).
 #
 #certificate-chain = /etc/nginx/ssl/srv.chain.pem
 
@@ -30,11 +30,10 @@
 #
 #min-days = 21
 
-# Path to the issuer's certificate.  This is used for certificate-chain
-# and to verify the validity of each issued certificate.  Specifying an
-# empty value skip certificate validation.
+# Path to trusted issuer certificates, used for validating each issued
+# certificate.  Specifying an empty value skips certificate validation.
 #
-#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem
+#CAfile = @@datadir@@/lacme/ca-certificates.crt
 
 # Subject field of the Certificate Signing Request.  This option is
 # required.