diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-03-28 00:16:10 +0300 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-03-28 00:16:10 +0300 |
| commit | 20e56d8416683e25b4999a57579eb304c06be985 (patch) | |
| tree | 56e5e3da9a556aa56050201b3317471c075e659e | |
| parent | 4dbc2fb82f4f001c4927d200ddedae7ac1ff5f70 (diff) | |
Replace LE's X1 intermediate CA with X3 since the latter has better support for XP.
| -rwxr-xr-x | certs/gencerts.sh | 8 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/snippets/ssl.conf | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/certs/gencerts.sh b/certs/gencerts.sh index 8164945..181767e 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -22,8 +22,8 @@ x509fpr() { host="${msg%%,*}"; host="${msg%% *}" cert="$DIR/${host%%:*}.pem" spki=$(openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -sha1 | sed -nr 's/^[^=]+=\s*//p') - [ "$typ" = mdwn ] && printf '\n [[%s|https://crt.sh/?spkisha1=%s&iCAID=7395]]\n\n' "$msg" "$spki" \ - || printf ' %s\n X.509: https://crt.sh/?spkisha1=%s&iCAID=7395\n SPKI:\n' "$msg" "$spki" + [ "$typ" = mdwn ] && printf '\n [[%s|https://crt.sh/?spkisha1=%s&iCAID=16418]]\n\n' "$msg" "$spki" \ + || printf ' %s\n X.509: https://crt.sh/?spkisha1=%s&iCAID=16418\n SPKI:\n' "$msg" "$spki" for h in sha1 sha256; do [ "$typ" = mdwn ] || echo -n ' ' echo -n "$h" | tr '[a-z]' '[A-Z]' @@ -106,7 +106,7 @@ These certificates are all issued by the Let's Encrypt Certificate Authority, and are submitted to Certificate Transparency logs. You can view all issued Let's Encrypt certificates at crt.sh: - https://crt.sh/?Identity=%25fripost.org&iCAID=7395 + https://crt.sh/?Identity=%25fripost.org&iCAID=16418 Our X.509 certificates are also available in PEM format at: @@ -136,7 +136,7 @@ These certificates are all issued by the [[Let's Encrypt Certificate Authority|https://letsencrypt.org]], and are submitted to [[Certificate Transparency logs|https://www.certificate-transparency.org]]. You can view all issued Let's Encrypt certificates at -[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=7395]]. +[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=16418]]. Our X.509 certificates are also available in PEM format under our [[Git repository|$VCS_BROWSER/tree/certs/public]], from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 0f989b8..1403846 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -2,7 +2,7 @@ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate -# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem ssl on; @@ -27,4 +27,4 @@ ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem; +ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem; |