update Let's Encrypt trust chainchange-52

Drop 'DST Root CA X3', use 'ISRG Root X1' instead. The migration code
makes sure that...

 * the intermediate certificate 'R3' is signed by 'ISRG Root X1'
 * 'ISRG Root X1' is self-signed, not cross-signed by 'DST Root CA X3'
 * 'DST Root CA X3' is finally gone

1 files changed, 2 insertions, 0 deletions

diff --git a/global-config.changes b/global-config.changes
index 4bada85..cfaf649 100644
--- a/global-config.changes
+++ b/global-config.changes
@@ -55,10 +55,12 @@
   49="Dropped '\$EmailBackupTo' & '\$EmailBackupCc' from configuration, use settings override if required.";
   50="Added support for dynamic address update in 'netwatch-notify'.";
   51="Added 'ipsec-to-dns' to add DNS records for IPSec peers from mode-config.";
+  52="Updated Let's Encrypt trust chain to use root certificate 'ISRG Root X1'. Do not re-import the old chain!";
 };
 
 # Migration steps to be applied on script updates
 :global GlobalConfigMigration {
   41=":global SendNotification; \$SendNotification (\"Migration mechanism\") (\"Congratulations!\nSuccessfully tested the new migration mechanism.\");";
   47="/ certificate remove [ find where fingerprint=\"731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568\" or fingerprint=\"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d\" ];";
+  52=":global CertificateDownload; :if ([ :len [ / certificate find where fingerprint=\"67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd\" or fingerprint=\"96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6\" ] ] < 2) do={ \$CertificateDownload \"R3\"; }; / certificate remove [ find where fingerprint=\"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739\" ];";
 };