Add support for certbot "--preferred-chain" flag in ca-info.conf

  New config for letsencrypt CA : preferred_chain defaults to unset (uses LE default).
   e.g. to switch to newer ECC root set: ca_preferred_chain = "ISRG Root X2"

Docs/conf.py

@@ -9,7 +9,7 @@
 project = "ssl-mgr"
 copyright = '2023, Gene C'
 author = 'Gene C'
-release = '5.0.0'
+release = '5.1.0'
 
 # -- General configuration ---------------------------------------------------
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration

README.rst

@@ -64,6 +64,18 @@ New / Interesting
 
 Recent changes and important info goes here.
 
+ * Support Letsencrypt alternate root chain.
+
+   Set via *ca_preferred_chain* option in *ca-info.conf* file (see example file).
+
+   By default LE root cert is *ISRG Root X1* (RSA). Since it is standard to use ECC for 
+   certificates, it is preferable to use LE *ISRG Root X2* (ECC) which is smaller and faster
+   since less data is exchanged during TLS handshake.
+
+   X2 cert is cross-signed by X1 cert, so any client trusting X1 should trust X2.
+
+   Some more info here: `LE Certificates: <https://letsencrypt.org/certificates>`_ and `Compatibility <https://letsencrypt.org/docs/certificate-compatibility>`_.
+
  * Fixed: sslm-info now shows all SANS including IP addresses.
 
  * Fixed: typo in dns_primary when domain specific dns server provided caused it not to be used. 
@@ -130,6 +142,7 @@ Recent changes and important info goes here.
      * While things can take longer than previous versions, teting to date has shown it 
        to be robust and working well with letsencrypt.
 
+
 More Detail
 ===========
 

examples/letsencrypt/conf.d/ca-info.conf

@@ -9,10 +9,17 @@
     ca_desc = 'My intermediate : signs client certs'
     ca_type = 'self'
 
-[le-dns]    # Used to sign client certs
+[le-dns]    # Used to sign client certs with LE X2 (ecc) cert
     ca_desc = 'Letsencrypt: dns-01 validation'
     ca_type = 'certbot'
     ca_validation = 'dns-01'
+    ca_preferred_chain = 'ISRG Root X2'
+
+[le-dns-X1]    # sign client certs with LE default X1 (rsa) cert
+    ca_desc = 'Letsencrypt: dns-01 validation'
+    ca_type = 'certbot'
+    ca_validation = 'dns-01'
+    #ca_preferred_chain = 'ISRG Root X1'
 
 [le-http]    # Used to sign client certs
     ca_desc = 'Letsencrypt: http-01 validation'

packaging/PKGBUILD

@@ -12,7 +12,7 @@ pkgname='ssl-mgr'
 pkgdesc='Manage (re)new certificates and handle DANE TLSA key rollover'
 _gitname='ssl-mgr'
 
-pkgver=5.0.0
+pkgver=5.1.0
 pkgrel=1
 url="https://github.com/gene-git/ssl-mgr"
 

src/ssl_mgr/__about__.py

@@ -3,4 +3,4 @@
 """
 Project ssl-mgr
 """
-__version__ = "5.0.0"
+__version__ = "5.1.0"

src/ssl_mgr/cbot/sign_cert.py

@@ -100,8 +100,11 @@ def certbot_options(certbot:'Certbot', challenge_type:str, cert_dir:str,
     opts += ['--chain-path', chain_path]
     opts += ['--fullchain-path', fullchain_path]
 
-    if certbot.opts.verb:
-        opts += ['--debug']
+    #
+    # LE defaults to 'ISRG Root X1' (RSA) - can also use ca_preferred_chain = 'ISRG Root X2' (ECC)
+    #
+    if ssl_ca.info.ca_preferred_chain:
+        opts += ['--preferred-chain', ssl_ca.info.ca_preferred_chain]
 
     #
     # Are we testing -
@@ -115,6 +118,9 @@ def certbot_options(certbot:'Certbot', challenge_type:str, cert_dir:str,
     #
     #if ssl_ca.test :               # old way
     #
+    if certbot.opts.verb:
+        opts += ['--debug']
+
     if certbot.opts.test :
         opts += ['--test-cert']
 

src/ssl_mgr/certs/class_cainfo.py

@@ -31,6 +31,7 @@ def __init__(self):
         self.ca_desc = ''
         self.ca_type = None
         self.ca_validation = None
+        self.ca_preferred_chain = None
 
     def init_ca_name(self, top_dir:str, ca_name:str):
         """