From 51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Nov 2020 19:58:13 +0100 Subject: Use upstream certicate chain instead of an hardcoded one. This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). --- client | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) (limited to 'client') diff --git a/client b/client index b59c013..bacd4d6 100755 --- a/client +++ b/client @@ -361,20 +361,7 @@ elsif ($COMMAND eq 'newOrder') { die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout; sleep $retry_after; } - - # keep only the leaf certificate - pipe my $rd, my $wd or die "Can't pipe: $!"; - my $pid = fork // die "Can't fork: $!"; - unless ($pid) { - open STDIN, '<&', $rd or die "Can't dup: $!"; - exec qw/openssl x509 -outform PEM/ or die; - } - $rd->close() or die "Can't close: $!"; - $wd->print( $r->decoded_content() ); - $wd->close() or die "Can't close: $!"; - - waitpid $pid => 0; - die $? if $? > 0; + print $r->decoded_content(); } -- cgit v1.2.3