From ad6d50d9968b271480ff68c018b12623ad553e87 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 23 Oct 2021 02:06:42 +0200 Subject: [PATCH] Fix ISRG root certificate chain --- modules/private/certificates.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 1881ac8..b97d0bc 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -142,6 +142,14 @@ ''); ExecStartPost = let + ISRG_Root_X1 = pkgs.fetchurl { + url = "https://letsencrypt.org/certs/isrgrootx1.pem"; + sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"; + }; + fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" '' + cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \ + sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem + ''; script = pkgs.writeScript "acme-post-start" '' #!${pkgs.runtimeShell} -e install -m 0755 -o root -g root -d /var/lib/acme @@ -163,6 +171,7 @@ chmod ${fileMode} *.pem chown '${data.user}:${data.group}' *.pem + ${fix_ISRG_Root_X1} if [ "$KEY_CHANGED" = "yes" ]; then : # noop in case postRun is empty -- 2.41.0