From 8ecbd97f82997063192cd97188422b93b90b95ca Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 23 Feb 2020 03:46:35 +0000 Subject: [PATCH] nixos/acme: move the crt to fullchain.pem lego already bundles the chain with the certificate,[1] so the current code, designed for simp_le, was resulting in duplicate certificate chains, manifesting as "Chain issues: Incorrect order, Extra certs" on the Qualys SSL Server Test. cert.pem stays around as a symlink for backwards compatibility. [1] https://github.com/go-acme/lego/blob/5cdc0002e9abb2463fffc962dadc3479f72d7486/acme/api/certificate.go#L40-L44 --- nixos/modules/security/acme.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 7da6666f79c6..238c18242c19 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -325,10 +325,10 @@ in KEY=${spath}/certificates/${keyName}.key if [ -e $KEY -a $KEY -nt key.pem ]; then cp -p ${spath}/certificates/${keyName}.key key.pem - cp -p ${spath}/certificates/${keyName}.crt cert.pem + cp -p ${spath}/certificates/${keyName}.crt fullchain.pem cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem - cat cert.pem chain.pem > fullchain.pem - cat key.pem cert.pem chain.pem > full.pem + ln -s fullchain.pem cert.pem + cat key.pem fullchain.pem > full.pem chmod ${rights} *.pem chown '${data.user}:${data.group}' *.pem fi