From 51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Nov 2020 19:58:13 +0100 Subject: Use upstream certicate chain instead of an hardcoded one. This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). --- config/lacme-certs.conf | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'config') diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index dd02f95..232c85b 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -20,8 +20,8 @@ # #certificate = /etc/nginx/ssl/srv.pem -# Where to store the issued certificate, concatenated with the content -# of the file specified specified with the CAfile option (in PEM format). +# Where to store the issued certificate along with its chain of trust +# (in PEM format). # #certificate-chain = /etc/nginx/ssl/srv.chain.pem @@ -30,11 +30,10 @@ # #min-days = 21 -# Path to the issuer's certificate. This is used for certificate-chain -# and to verify the validity of each issued certificate. Specifying an -# empty value skip certificate validation. +# Path to trusted issuer certificates, used for validating each issued +# certificate. Specifying an empty value skips certificate validation. # -#CAfile = @@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem +#CAfile = @@datadir@@/lacme/ca-certificates.crt # Subject field of the Certificate Signing Request. This option is # required. -- cgit v1.2.3