nixos/acme: move the crt to fullchain.pem

lego already bundles the chain with the certificate,[1] so the current code, designed for simp_le, was resulting in duplicate certificate chains, manifesting as "Chain issues: Incorrect order, Extra certs" on the Qualys SSL Server Test. cert.pem stays around as a symlink for backwards compatibility. [1] https://github.com/go-acme/lego/blob/5cdc0002e9abb2463fffc962dadc3479f72d7486/acme/api/certificate.go#L40-L44
author: Emily <vcs@emily.moe> 2020-02-23 03:46:35 +0000
committer: Emily <vcs@emily.moe> 2020-02-23 04:10:34 +0000
commit: 8ecbd97f82997063192cd97188422b93b90b95ca (patch)
tree: 427d0e2c403e0ad0ca9d2d358dfc91c8bdfea53b /nixos
parent: ea79a830dcf9c0059656da7f52835d2663d5c436 (diff)
download: nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.gz
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.bz2
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.lz
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.xz
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.zst
nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 7da6666f79c6..238c18242c19 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -325,10 +325,10 @@ in
                           KEY=${spath}/certificates/${keyName}.key
                           if [ -e $KEY -a $KEY -nt key.pem ]; then
                             cp -p ${spath}/certificates/${keyName}.key key.pem
-                            cp -p ${spath}/certificates/${keyName}.crt cert.pem
+                            cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                             cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
-                            cat cert.pem chain.pem > fullchain.pem
-                            cat key.pem cert.pem chain.pem > full.pem
+                            ln -s fullchain.pem cert.pem
+                            cat key.pem fullchain.pem > full.pem
                             chmod ${rights} *.pem
                             chown '${data.user}:${data.group}' *.pem
                           fi
author	Emily <vcs@emily.moe>	2020-02-23 03:46:35 +0000
committer	Emily <vcs@emily.moe>	2020-02-23 04:10:34 +0000
commit	8ecbd97f82997063192cd97188422b93b90b95ca (patch)
tree	427d0e2c403e0ad0ca9d2d358dfc91c8bdfea53b /nixos
parent	ea79a830dcf9c0059656da7f52835d2663d5c436 (diff)
download	nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.gz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.bz2 nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.lz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.xz nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.tar.zst nixlib-8ecbd97f82997063192cd97188422b93b90b95ca.zip