From 51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 25 Nov 2020 19:58:13 +0100
Subject: Use upstream certicate chain instead of an hardcoded one.

This is a breaking change.  The certificate indicated by 'CAfile' is no
longer used as is in 'certificate-chain' (along with the leaf cert).
The chain returned by the ACME v2 endpoint is used instead.  This allows
for more flexbility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt
which is a concatenation of all known active CA certificates (which
includes the previous default).
---
 client | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

(limited to 'client')

diff --git a/client b/client
index b59c013..bacd4d6 100755
--- a/client
+++ b/client
@@ -361,20 +361,7 @@ elsif ($COMMAND eq 'newOrder') {
         die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout;
         sleep $retry_after;
     }
-
-    # keep only the leaf certificate
-    pipe my $rd, my $wd or die "Can't pipe: $!";
-    my $pid = fork // die "Can't fork: $!";
-    unless ($pid) {
-        open STDIN, '<&', $rd or die "Can't dup: $!";
-        exec qw/openssl x509 -outform PEM/ or die;
-    }
-    $rd->close() or die "Can't close: $!";
-    $wd->print( $r->decoded_content() );
-    $wd->close() or die "Can't close: $!";
-
-    waitpid $pid => 0;
-    die $? if $? > 0;
+    print $r->decoded_content();
 }
 
 
-- 
cgit v1.2.3