From 1d248394ccb4406b9c65560ed2a6553d9d2a63d5 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 28 Sep 2021 13:28:32 +0200 Subject: [PATCH] Attempt to fix the default root CA. --- defaults/main.yml | 2 +- files/acme-sh-cron-command | 1 - files/acme-sh-request-cert | 1 - templates/acme_sh_request_env.j2 | 5 +++-- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 75847e6..2565e1d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -56,7 +56,7 @@ letsencrypt_acme_sh_ecc_key_lenght: ec-384 letsencrypt_acme_sh_rsa_key_lenght: 4096 letsencrypt_acme_sh_ocsp_must_staple: False # Default: ISRG Root X1 -letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'isrg'" +letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'ISRG Root X1'" letsencrypt_acme_email: sysadmin@example.com letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}' letsencrypt_acme_standalone_port: 4402 diff --git a/files/acme-sh-cron-command b/files/acme-sh-cron-command index 5b982fd..fd42486 100644 --- a/files/acme-sh-cron-command +++ b/files/acme-sh-cron-command @@ -14,7 +14,6 @@ else exit 1 fi -$ACME_SH_BIN --upgrade -b chain $ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1 exit $? diff --git a/files/acme-sh-request-cert b/files/acme-sh-request-cert index d7a2dc3..5d148b9 100644 --- a/files/acme-sh-request-cert +++ b/files/acme-sh-request-cert @@ -42,7 +42,6 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_ service httpd start >/dev/null 2>&1 fi else - $ACME_SH_BIN --upgrade -b chain $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 RETVAL=$? fi diff --git a/templates/acme_sh_request_env.j2 b/templates/acme_sh_request_env.j2 index 3e9f1a8..1d8e0b2 100644 --- a/templates/acme_sh_request_env.j2 +++ b/templates/acme_sh_request_env.j2 @@ -14,22 +14,23 @@ ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }} ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }} ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }} ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}" - ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }} # # Install options # + ACME_SH_INSTALL_OPTS="{{ letsencrypt_acme_sh_install_options }}" {% if not letsencrypt_acme_sh_install_cron %} ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --nocron" {% endif %} +ACME_SH_ROOT_CA='{{ letsencrypt_acme_sh_specific_root_ca }}' ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_home }}/bin --config-home {{ letsencrypt_acme_sh_base_data_dir }}/data --certhome {{ letsencrypt_acme_sh_base_data_dir }}/certs --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" # # Certificate issue options # -ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} {{ letsencrypt_acme_sh_specific_root_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" +ACME_SH_ISSUE_CERT_REQUEST_OPTIONS='--issue --server {{ letsencrypt_acme_sh_default_ca }} $ACME_SH_ROOT_CA -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log' {% if letsencrypt_acme_sh_ocsp_must_staple %} ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp" {% endif %}