format certs for nginx

core/nginx/conf/tls.conf

@@ -3,6 +3,7 @@ ssl_certificate_key {{ TLS[1] }};
 {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
 ssl_certificate {{ TLS[2] }};
 ssl_certificate_key {{ TLS[3] }};
+ssl_trusted_certificate /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem;
 {% endif %}
 ssl_session_timeout 1d;
 ssl_session_tickets off;

core/nginx/config.py

@@ -26,11 +26,11 @@ cert_name = os.getenv("TLS_CERT_FILENAME", default="cert.pem")
 keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
     "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
+    "letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
-    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/chain.pem",
+    "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/nginx-chain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "notls": None
 }[args["TLS_FLAVOR"]]
 

core/nginx/letsencrypt.py

@@ -4,7 +4,6 @@ import os
 import time
 import subprocess
 
-
 command = [
     "certbot",
     "-n", "--agree-tos", # non-interactive
@@ -31,12 +30,30 @@ command2 = [
     "--post-hook", "/config.py"
 ]
 
+def format_for_nginx(fullchain, output):
+    """ nginx expects cert + intermediate
+    whereas letsencrypt provides ca + intermediate + cert
+    """
+    certs = []
+    with open(fullchain, 'r') as pem:
+        cert = ''
+        for line in pem:
+            cert += line
+            if '-----END CERTIFICATE-----' in line:
+                certs += [cert]
+                cert = ''
+    with open(output, 'w') as pem:
+        for cert in reversed(certs[1:]):
+            pem.write(cert)
+
 # Wait for nginx to start
 time.sleep(5)
 
 # Run certbot every hour
 while True:
     subprocess.call(command)
+    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
     subprocess.call(command2)
+    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
     time.sleep(3600)