Workaround for Let's Encrypt cross-signed intermediate

b09d04da · Paul Cammish · e93f5aaf · b09d04da · b09d04da · b09d04da
Commit b09d04da authored Oct 03, 2021 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+2021-10-03
+  sympl-core
+    * Workaround for Let's Encrypt cross-signed intermediate
+
 2021-04-09
  sympl-core
    * Update sympl.host to sympl.io

--- a/core/debian/changelog
+++ b/core/debian/changelog
+sympl-core (9.20211003.0) stable; urgency=medium
+
+  * Workaround for Let's Encrypt cross-signed intermediate
+
+ -- Paul Cammish <sympl@kelduum.net>  Sun, 03 Oct 2021 12:27:00 +0100
+ 
 sympl-core (9.20210409.0) stable; urgency=medium
 
  * Updated sympl.host to sympl.io

--- a/core/sbin/sympl-ssl
+++ b/core/sbin/sympl-ssl
 #!/bin/bash -e

-# Workaround wrapper script for sympl-ssl to fix a bug in IPv6 only resolution of the LE API DNS.
+# Workaround wrapper script for sympl-ssl to deal with bugs:
+# 1. in IPv6 only resolution of the LE API DNS
+# 2. with extra expired LE intermediates which sympl-ssl considers invalid

 # If theres no IPv4 address assigned...
 if [ $( sympl-ip -a | grep -c '\.' ) == 0 ] || [ $( getent hosts ipv4only.arpa | grep -c ':' ) != 0 ] ; then
@@ -20,3 +22,10 @@ else
  # Just run it nomally...
  /usr/sbin/sympl-ssl.rb $@
 fi
+
+find /srv/*/config/ssl/sets/ \( -name 'ssl.bundle' -o -name 'ssl.combined' \) -exec grep -lx '^MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/$' {} \; | while read file ; do
+    input="$( cat "$file" | tr '\n' '\t' )"
+    echo -e "$input" \
+    | sed 's|\tnLRbwHOoq7hHwg==\t-----END CERTIFICATE-----\t-----BEGIN CERTIFICATE-----\tMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\t.*\tDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\t-----END CERTIFICATE-----|\tnLRbwHOoq7hHwg==\t-----END CERTIFICATE-----|' \
+    | tr '\t' '\n' > "$file"
+done
\ No newline at end of file