Merge branch 'master' into debian

1 files changed, 3 insertions, 3 deletions

diff --git a/letsencrypt b/letsencrypt
index 23659d5..d11b569 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -410,6 +410,8 @@ sub acme_client($@) {
         die "connect: $!";
     }
 
+    # use execve(2) rather than a Perl pseudo-process to ensure that the
+    # child doesn't have access to the parent's memory
     my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno
     spawn({%$args{qw/in out/}, child => sub() {
         drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');
@@ -448,8 +450,6 @@ sub spawn($@) {
         } else {
             open STDOUT, '>', '/dev/null' or die "Can't open /dev/null: $!";
         }
-        # use execve(2) rather than a Perl pseudo-process to ensure that
-        # the child doesn't have access to the parent's memory
         exec { $exec[0] } @exec or die;
     }
     push @CLEANUP, sub() {
@@ -604,7 +604,7 @@ elsif ($COMMAND eq 'new-cert') {
         };
 
         # verify certificate validity against the CA
-        $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem';
+        $conf->{CAfile} //= '/usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem';
         if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile},
                                                                       qw/-purpose sslserver -x509_strict/)) {
             print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";