Fix issue with expired LE certs in bundle

core/sbin/sympl-ssl

 #!/bin/bash -e
 
-# Workaround wrapper script for sympl-ssl to fix a bug in IPv6 only resolution of the LE API DNS.
+# Workaround wrapper script for sympl-ssl to deal with bugs:
+# 1. in IPv6 only resolution of the LE API DNS
+# 2. with extra expired LE intermediates which sympl-ssl considers invalid
 
 # If theres no IPv4 address assigned...
 if [ $( sympl-ip -a | grep -c '\.' ) == 0 ] || [ $( getent hosts ipv4only.arpa | grep -c ':' ) != 0 ] ; then
@@ -20,3 +22,10 @@ else
   # Just run it nomally...
   /usr/sbin/sympl-ssl.rb $@
 fi
+
+find /srv/*/config/ssl/sets/ \( -name 'ssl.bundle' -o -name 'ssl.combined' \) -exec grep -lx '^MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/$' {} \; | while read file ; do
+    input="$( cat "$file" | tr '\n' '\t' )"
+    echo -e "$input" \
+    | sed 's|\tnLRbwHOoq7hHwg==\t-----END CERTIFICATE-----\t-----BEGIN CERTIFICATE-----\tMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\t.*\tDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\t-----END CERTIFICATE-----|\tnLRbwHOoq7hHwg==\t-----END CERTIFICATE-----|' \
+    | tr '\t' '\n' > "$file"
+done