From 20e56d8416683e25b4999a57579eb304c06be985 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 28 Mar 2016 00:16:10 +0300
Subject: Replace LE's X1 intermediate CA with X3 since the latter has better
 support for XP.

---
 certs/gencerts.sh                                  | 8 ++++----
 roles/common-web/files/etc/nginx/snippets/ssl.conf | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/certs/gencerts.sh b/certs/gencerts.sh
index 8164945..181767e 100755
--- a/certs/gencerts.sh
+++ b/certs/gencerts.sh
@@ -22,8 +22,8 @@ x509fpr() {
     host="${msg%%,*}"; host="${msg%% *}"
     cert="$DIR/${host%%:*}.pem"
     spki=$(openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -sha1  | sed -nr 's/^[^=]+=\s*//p')
-    [ "$typ" = mdwn ] && printf '\n    [[%s|https://crt.sh/?spkisha1=%s&iCAID=7395]]\n\n' "$msg" "$spki" \
-                      || printf '    %s\n    X.509: https://crt.sh/?spkisha1=%s&iCAID=7395\n    SPKI:\n' "$msg" "$spki"
+    [ "$typ" = mdwn ] && printf '\n    [[%s|https://crt.sh/?spkisha1=%s&iCAID=16418]]\n\n' "$msg" "$spki" \
+                      || printf '    %s\n    X.509: https://crt.sh/?spkisha1=%s&iCAID=16418\n    SPKI:\n' "$msg" "$spki"
     for h in sha1 sha256; do
         [ "$typ" = mdwn ] || echo -n '  '
         echo -n "$h" | tr '[a-z]' '[A-Z]'
@@ -106,7 +106,7 @@ These certificates are all issued by the Let's Encrypt Certificate
 Authority, and are submitted to Certificate Transparency logs. You can
 view all issued Let's Encrypt certificates at crt.sh:
 
-    https://crt.sh/?Identity=%25fripost.org&iCAID=7395
+    https://crt.sh/?Identity=%25fripost.org&iCAID=16418
 
 Our X.509 certificates are also available in PEM format at:
 
@@ -136,7 +136,7 @@ These certificates are all issued by the [[Let's Encrypt Certificate
 Authority|https://letsencrypt.org]], and are submitted to [[Certificate
 Transparency logs|https://www.certificate-transparency.org]].
 You can view all issued Let's Encrypt certificates at
-[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=7395]].
+[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=16418]].
 Our X.509 certificates are also available in PEM format under our
 [[Git repository|$VCS_BROWSER/tree/certs/public]],
 from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index 0f989b8..1403846 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -2,7 +2,7 @@
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
 
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
-# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
 
 ssl on;
 
@@ -27,4 +27,4 @@ ssl_stapling on;
 ssl_stapling_verify on;
 
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem;
+ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem;
-- 
cgit v1.2.3