feat: certbot ability to specify preferred chain to remove expired DS…

…T Root CA X3 cert
KiraLT · Jan 19, 2022 · 9ddab81 · 9ddab81
1 parent 9e299e7
commit 9ddab81
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -44,7 +44,18 @@ Then go to AWS Secrets dashboard and create a rotation rule for created secrets
 | CERTBOT_DNS_PLUGIN | DNS provider plugin name for acme challenge. E.g. `dns-cloudflare`, find plugin list [here](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins). | **required** |
 | CERTBOT_SERVER | Letsencrypt API url. | `https://acme-v02.api.letsencrypt.org/directory` |
 | CERTBOT_DIR | Temporary certbot directory where logs and generated certs will be stored. | `/tmp/certbot` |
+| CERTBOT_PREFERRED_CHAIN | Force to use specified cert chain, e.g. `ISRG Root X1` | |
 | AWS_SECRET_NAME | AWS secret name template, {domain} will be replaced with domain name. | `certbot-{domain}` |
 | AWS_SECRET_DESCRIPTION | AWS secret name description text. | `Auto generated SSL certificate by lambda-certbot` |
 
 Each DNS challenge plugin requires different configuration, check [documentation](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins) for more information.
+
+## Letsencrypt
+
+### 2021 September 30th Root CA X3 root certificate expired
+
+Due to a bug in some versions of [OpenSSL (1.0.0 - 1.0.2)](https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816), [GnuTLS (< 3.6.14)](https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html), [LibreSSL (< 3.2.0)](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt) and perhaps other TLS/SSL libraries as well, Let's Encrypt's certificates will be seen as invalid as a result of this invalid DST Root CA X3 certificate still being included.
+
+To solve this issue, you can disable `Root CA X3` certificate that is still included due to legacy support (mostly Android) by providing `CERTBOT_PREFERRED_CHAIN=ISRG Root X1` environment variable.
+
+_Source: [Laravel: Let's Encrypt Compatibility Changes](https://blog.laravel.com/forge-lets-encrypt-compatibility-changes)_
diff --git a/app/handler.py b/app/handler.py
@@ -20,6 +20,7 @@ def handler(_event, _context):
             dns_plugin=settings.CERTBOT_DNS_PLUGIN,
             certbot_dir=settings.CERTBOT_DIR,
             certbot_server=settings.CERTBOT_SERVER,
+            preferred_chain=settings.CERTBOT_PREFERRED_CHAIN
         )
 
         upload_certs_as_secrets(

diff --git a/app/services/certbot.py b/app/services/certbot.py
@@ -21,6 +21,7 @@ def obtain_certbot_certs(
     dns_plugin: str,
     certbot_dir: Path,
     certbot_server: str,
+    preferred_chain: str = None
 ) -> list[Cert]:
     certbot_args = [
         # Override directory paths so script doesn't have to be run as root
@@ -50,6 +51,10 @@ def obtain_certbot_certs(
         # Domains to provision certs for (comma separated)
         "--domains",
         ",".join(domains),
+        *([
+            "--preferred-chain",
+            preferred_chain
+        ] if preferred_chain else [])
     ]
     certbot.main.main(certbot_args)
 

diff --git a/app/settings.py b/app/settings.py
@@ -14,6 +14,7 @@ class Settings:
     AWS_SECRET_NAME: str
     AWS_DEFAULT_REGION: str
     AWS_SECRET_DESCRIPTION: str
+    CERTBOT_PREFERRED_CHAIN: str = None
 
 
 def read_env(name: str, required: bool = False, multi=False, default=None):
@@ -45,4 +46,5 @@ def read_env(name: str, required: bool = False, multi=False, default=None):
     AWS_DEFAULT_REGION=read_env("AWS_DEFAULT_REGION", required=True),
     AWS_SECRET_NAME=read_env("AWS_SECRET_NAME", default="certbot-{domain}"),
     AWS_SECRET_DESCRIPTION=read_env("AWS_SECRET_DESCRIPTION", default="Auto generated SSL certificate by lambda-certbot"),
+    CERTBOT_PREFERRED_CHAIN=read_env("CERTBOT_PREFERRED_CHAIN"),
 )