From 4427cabd0eac9f8a5b18f939198284621933fa36 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 21 Dec 2020 00:02:49 +0100 Subject: update Let's Encrypt trust chain Drop 'DST Root CA X3', use 'ISRG Root X1' instead. The migration code makes sure that... * the intermediate certificate 'R3' is signed by 'ISRG Root X1' * 'ISRG Root X1' is self-signed, not cross-signed by 'DST Root CA X3' * 'DST Root CA X3' is finally gone --- global-config.changes | 2 ++ 1 file changed, 2 insertions(+) (limited to 'global-config.changes') diff --git a/global-config.changes b/global-config.changes index 4bada85..cfaf649 100644 --- a/global-config.changes +++ b/global-config.changes @@ -55,10 +55,12 @@ 49="Dropped '\$EmailBackupTo' & '\$EmailBackupCc' from configuration, use settings override if required."; 50="Added support for dynamic address update in 'netwatch-notify'."; 51="Added 'ipsec-to-dns' to add DNS records for IPSec peers from mode-config."; + 52="Updated Let's Encrypt trust chain to use root certificate 'ISRG Root X1'. Do not re-import the old chain!"; }; # Migration steps to be applied on script updates :global GlobalConfigMigration { 41=":global SendNotification; \$SendNotification (\"Migration mechanism\") (\"Congratulations!\nSuccessfully tested the new migration mechanism.\");"; 47="/ certificate remove [ find where fingerprint=\"731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568\" or fingerprint=\"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d\" ];"; + 52=":global CertificateDownload; :if ([ :len [ / certificate find where fingerprint=\"67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd\" or fingerprint=\"96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6\" ] ] < 2) do={ \$CertificateDownload \"R3\"; }; / certificate remove [ find where fingerprint=\"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739\" ];"; }; -- cgit v1.2.3-70-g09d2