Attempt to fix the default root CA.

This commit is contained in:
Andrea Dell'Amico 2021-09-28 13:28:32 +02:00
parent cc23336ea9
commit 1d248394cc
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
4 changed files with 4 additions and 5 deletions

View File

@ -56,7 +56,7 @@ letsencrypt_acme_sh_ecc_key_lenght: ec-384
letsencrypt_acme_sh_rsa_key_lenght: 4096 letsencrypt_acme_sh_rsa_key_lenght: 4096
letsencrypt_acme_sh_ocsp_must_staple: False letsencrypt_acme_sh_ocsp_must_staple: False
# Default: ISRG Root X1 # Default: ISRG Root X1
letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'isrg'" letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'ISRG Root X1'"
letsencrypt_acme_email: sysadmin@example.com letsencrypt_acme_email: sysadmin@example.com
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}' letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
letsencrypt_acme_standalone_port: 4402 letsencrypt_acme_standalone_port: 4402

View File

@ -14,7 +14,6 @@ else
exit 1 exit 1
fi fi
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1 $ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1
exit $? exit $?

View File

@ -42,7 +42,6 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
service httpd start >/dev/null 2>&1 service httpd start >/dev/null 2>&1
fi fi
else else
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$? RETVAL=$?
fi fi

View File

@ -14,22 +14,23 @@ ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }}
ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }} ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }}
ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }} ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }}
ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}" ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}"
ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }} ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}
# #
# Install options # Install options
# #
ACME_SH_INSTALL_OPTS="{{ letsencrypt_acme_sh_install_options }}" ACME_SH_INSTALL_OPTS="{{ letsencrypt_acme_sh_install_options }}"
{% if not letsencrypt_acme_sh_install_cron %} {% if not letsencrypt_acme_sh_install_cron %}
ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --nocron" ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --nocron"
{% endif %} {% endif %}
ACME_SH_ROOT_CA='{{ letsencrypt_acme_sh_specific_root_ca }}'
ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_home }}/bin --config-home {{ letsencrypt_acme_sh_base_data_dir }}/data --certhome {{ letsencrypt_acme_sh_base_data_dir }}/certs --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_home }}/bin --config-home {{ letsencrypt_acme_sh_base_data_dir }}/data --certhome {{ letsencrypt_acme_sh_base_data_dir }}/certs --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
# #
# Certificate issue options # Certificate issue options
# #
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} {{ letsencrypt_acme_sh_specific_root_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" ACME_SH_ISSUE_CERT_REQUEST_OPTIONS='--issue --server {{ letsencrypt_acme_sh_default_ca }} $ACME_SH_ROOT_CA -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log'
{% if letsencrypt_acme_sh_ocsp_must_staple %} {% if letsencrypt_acme_sh_ocsp_must_staple %}
ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp" ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
{% endif %} {% endif %}