From 51369e3955cdc5bf3f1ba0f6e2d7c4d73406c111 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Nov 2020 19:58:13 +0100 Subject: Use upstream certicate chain instead of an hardcoded one. This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). --- lacme.8.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'lacme.8.md') diff --git a/lacme.8.md b/lacme.8.md index 90fd3cf..4098662 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -326,9 +326,8 @@ Valid options are: *certificate-chain* -: Where to store the issued certificate, concatenated with the content - of the file specified specified with the *CAfile* option (in PEM - format). +: Where to store the issued certificate along with its chain of trust + (in PEM format). At least one of *certificate* or *certificate-chain* is required. *certificate-key* @@ -350,11 +349,9 @@ Valid options are: *CAfile* -: Path to the issuer's certificate. This is used for - *certificate-chain* and to verify the validity of each issued - certificate. - Specifying an empty value skip certificate validation. - Default: `@@datadir@@/lacme/lets-encrypt-x3-cross-signed.pem`. +: Path to trusted issuer certificates, used for validating each issued + certificate. Specifying an empty values skips certificate validation. + Default: `@@datadir@@/lacme/ca-certificates.crt`. *hash* -- cgit v1.2.3