diff --git a/Docs/conf.py b/Docs/conf.py index 8865093..5583b42 100644 --- a/Docs/conf.py +++ b/Docs/conf.py @@ -9,7 +9,7 @@ project = "ssl-mgr" copyright = '2023, Gene C' author = 'Gene C' -release = '5.0.0' +release = '5.1.0' # -- General configuration --------------------------------------------------- # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration diff --git a/README.rst b/README.rst index 8b361b6..983779b 100644 --- a/README.rst +++ b/README.rst @@ -64,6 +64,18 @@ New / Interesting Recent changes and important info goes here. + * Support Letsencrypt alternate root chain. + + Set via *ca_preferred_chain* option in *ca-info.conf* file (see example file). + + By default LE root cert is *ISRG Root X1* (RSA). Since it is standard to use ECC for + certificates, it is preferable to use LE *ISRG Root X2* (ECC) which is smaller and faster + since less data is exchanged during TLS handshake. + + X2 cert is cross-signed by X1 cert, so any client trusting X1 should trust X2. + + Some more info here: `LE Certificates: `_ and `Compatibility `_. + * Fixed: sslm-info now shows all SANS including IP addresses. * Fixed: typo in dns_primary when domain specific dns server provided caused it not to be used. @@ -130,6 +142,7 @@ Recent changes and important info goes here. * While things can take longer than previous versions, teting to date has shown it to be robust and working well with letsencrypt. + More Detail =========== diff --git a/examples/letsencrypt/conf.d/ca-info.conf b/examples/letsencrypt/conf.d/ca-info.conf index aca85b5..a01f5fc 100644 --- a/examples/letsencrypt/conf.d/ca-info.conf +++ b/examples/letsencrypt/conf.d/ca-info.conf @@ -9,10 +9,17 @@ ca_desc = 'My intermediate : signs client certs' ca_type = 'self' -[le-dns] # Used to sign client certs +[le-dns] # Used to sign client certs with LE X2 (ecc) cert ca_desc = 'Letsencrypt: dns-01 validation' ca_type = 'certbot' ca_validation = 'dns-01' + ca_preferred_chain = 'ISRG Root X2' + +[le-dns-X1] # sign client certs with LE default X1 (rsa) cert + ca_desc = 'Letsencrypt: dns-01 validation' + ca_type = 'certbot' + ca_validation = 'dns-01' + #ca_preferred_chain = 'ISRG Root X1' [le-http] # Used to sign client certs ca_desc = 'Letsencrypt: http-01 validation' diff --git a/packaging/PKGBUILD b/packaging/PKGBUILD index 1b05a70..bd561e8 100644 --- a/packaging/PKGBUILD +++ b/packaging/PKGBUILD @@ -12,7 +12,7 @@ pkgname='ssl-mgr' pkgdesc='Manage (re)new certificates and handle DANE TLSA key rollover' _gitname='ssl-mgr' -pkgver=5.0.0 +pkgver=5.1.0 pkgrel=1 url="https://github.com/gene-git/ssl-mgr" diff --git a/src/ssl_mgr/__about__.py b/src/ssl_mgr/__about__.py index 12a56cd..0df098e 100644 --- a/src/ssl_mgr/__about__.py +++ b/src/ssl_mgr/__about__.py @@ -3,4 +3,4 @@ """ Project ssl-mgr """ -__version__ = "5.0.0" +__version__ = "5.1.0" diff --git a/src/ssl_mgr/cbot/sign_cert.py b/src/ssl_mgr/cbot/sign_cert.py index eef4316..cc02cd7 100644 --- a/src/ssl_mgr/cbot/sign_cert.py +++ b/src/ssl_mgr/cbot/sign_cert.py @@ -100,8 +100,11 @@ def certbot_options(certbot:'Certbot', challenge_type:str, cert_dir:str, opts += ['--chain-path', chain_path] opts += ['--fullchain-path', fullchain_path] - if certbot.opts.verb: - opts += ['--debug'] + # + # LE defaults to 'ISRG Root X1' (RSA) - can also use ca_preferred_chain = 'ISRG Root X2' (ECC) + # + if ssl_ca.info.ca_preferred_chain: + opts += ['--preferred-chain', ssl_ca.info.ca_preferred_chain] # # Are we testing - @@ -115,6 +118,9 @@ def certbot_options(certbot:'Certbot', challenge_type:str, cert_dir:str, # #if ssl_ca.test : # old way # + if certbot.opts.verb: + opts += ['--debug'] + if certbot.opts.test : opts += ['--test-cert'] diff --git a/src/ssl_mgr/certs/class_cainfo.py b/src/ssl_mgr/certs/class_cainfo.py index 37be83c..6ced854 100644 --- a/src/ssl_mgr/certs/class_cainfo.py +++ b/src/ssl_mgr/certs/class_cainfo.py @@ -31,6 +31,7 @@ def __init__(self): self.ca_desc = '' self.ca_type = None self.ca_validation = None + self.ca_preferred_chain = None def init_ca_name(self, top_dir:str, ca_name:str): """