From 07a0808fc5bc20fce6525bd8c46a1da8e816d63a Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 13 Oct 2021 01:00:06 +0200 Subject: [PATCH] Update to 2021-10-13 01:00 --- roles/letsencrypt/defaults/main.yml | 8 ++++++++ roles/letsencrypt/templates/config.j2 | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 710a2e6..705acbe 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -16,6 +16,14 @@ letsencrypt_challenge: http # letsencrypt_dns_provider: gandi # letsencrypt_dns_provider_options: '--api-protocol=rest' # letsencrypt_dns_auth_token: XXXX + +# Specify a preferred chain of intermediate certs +# If not specified, it'll use the short ISRG Root X1 chain +# (not signed with the expired DST Root CA X3) +# The special value "default" means to omit the directive, and use the default +# dehydrated value +# letsencrypt_preferred_chain: default + # letsencrypt_certs: [] # letsencrypt_certs: diff --git a/roles/letsencrypt/templates/config.j2 b/roles/letsencrypt/templates/config.j2 index 40554b6..afaf8cc 100644 --- a/roles/letsencrypt/templates/config.j2 +++ b/roles/letsencrypt/templates/config.j2 @@ -10,7 +10,11 @@ KEYSIZE="{{ letsencrypt_key_size | default('4096') }}" HOOK=/usr/{{ (ansible_os_family == 'Debian') | ternary('local/','') }}bin/dehydrated_hooks RENEW_DAYS="{{ letsencrypt_renew_days | default('30') }}" PRIVATE_KEY_RENEW="yes" +{% if letsencrypt_preferred_chain is not defined %} PREFERRED_CHAIN="{{ letsencrypt_openssl_version.stdout is version('1.1', '>=') | ternary('ISRG Root X1','issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1') }}" +{% elif letsencrypt_preferred_chain != 'default' %} +PREFERRED_CHAIN={{ letsencrypt_preferred_chain | quote }} +{% endif %} {% if letsencrypt_key_algo | default('rsa') in ['rsa', 'prime256v1', 'secp384r1' ] %} KEY_ALGO={{ letsencrypt_key_algo | default('rsa') }} {% endif %}