simplify as per ghostwheel42's suggestion

core/nginx/conf/nginx.conf

@@ -289,8 +289,8 @@ mail {
       listen [::]:25;
       {% if TLS and not TLS_ERROR %}
       {% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %}
-      ssl_certificate /certs/letsencrypt/live/mailu/nginx-chain-DANE.pem;
-      ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem;
+      ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
+      ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem;
       {% endif %}
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
       ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;

core/nginx/config.py

@@ -34,6 +34,24 @@ args["TLS"] = {
     "notls": None
 }[args["TLS_FLAVOR"]]
 
+def format_for_nginx(fullchain, output):
+    """ We may want to strip ISRG Root X1 out """
+    certs = []
+    with open(fullchain, 'r') as pem:
+        cert = ''
+        for line in pem:
+            cert += line
+            if '-----END CERTIFICATE-----' in line:
+                certs += [cert]
+                cert = ''
+    with open(output, 'w') as pem:
+        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
+            pem.write(cert)
+
+if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']:
+    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
+    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
+
 if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"]):
     print("Missing cert or key file, disabling TLS")
     args["TLS_ERROR"] = "yes"

core/nginx/letsencrypt.py

@@ -32,39 +32,11 @@ command2 = [
     "--post-hook", "/config.py"
 ]
 
-def format_for_nginx(fullchain, output):
-    """ We may want to strip ISRG Root X1 out
-    """
-    certs = []
-    with open(fullchain, 'r') as pem:
-        cert = ''
-        for line in pem:
-            cert += line
-            if '-----END CERTIFICATE-----' in line:
-                certs += [cert]
-                cert = ''
-    with open(output, 'w') as pem:
-        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
-            pem.write(cert)
-
-def add_DANE_pin(chain, output):
-    with open(output, 'w') as pem:
-        with open(chain, 'r') as chain:
-            for line in chain:
-                pem.write(line)
-        with open('/etc/ssl/certs/ca-cert-ISRG_Root_X1.pem', 'r') as isrgx1:
-            for line in isrgx1:
-                pem.write(line)
-
 # Wait for nginx to start
 time.sleep(5)
 
 # Run certbot every day
 while True:
     subprocess.call(command)
-    format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
-    add_DANE_pin('/certs/letsencrypt/live/mailu/chain.pem', '/certs/letsencrypt/live/mailu/nginx-chain-DANE.pem')
     subprocess.call(command2)
-    format_for_nginx('/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain.pem')
-    add_DANE_pin('/certs/letsencrypt/live/mailu-ecdsa/chain.pem', '/certs/letsencrypt/live/mailu-ecdsa/nginx-chain-DANE.pem')
     time.sleep(86400)