Fix ISRG root certificate chain

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 1881ac8d498fda5bf7c223ceb3f9b5c87f5063aa..b97d0bc1dd3c3492a6c90b5dd42aac5b80f73ac9 100644 (file)
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -142,6 +142,14 @@
             '');
             ExecStartPost =
               let
+                ISRG_Root_X1 = pkgs.fetchurl {
+                  url = "https://letsencrypt.org/certs/isrgrootx1.pem";
+                  sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
+                };
+                fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
+                  cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
+                    sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem
+                '';
                 script = pkgs.writeScript "acme-post-start" ''
                   #!${pkgs.runtimeShell} -e
                   install -m 0755 -o root -g root -d /var/lib/acme
@@ -163,6 +171,7 @@
 
                   chmod ${fileMode} *.pem
                   chown '${data.user}:${data.group}' *.pem
+                  ${fix_ISRG_Root_X1}
 
                   if [ "$KEY_CHANGED" = "yes" ]; then
                     : # noop in case postRun is empty