make it optional, add a knob

3 years ago · c76a76c0b0
parent 5e1ba9d4ff
commit c76a76c0b0
2 changed files with 7 additions and 2 deletions
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@ -31,7 +31,7 @@ command2 = [
 ]

 def format_for_nginx(fullchain, output):
-    """ nginx doesn't need the "compat"
+    """ We may want to strip ISRG Root X1 out
    """
    certs = []
    with open(fullchain, 'r') as pem:
@ -42,7 +42,7 @@ def format_for_nginx(fullchain, output):
                certs += [cert]
                cert = ''
    with open(output, 'w') as pem:
-        for cert in certs[:-1] if len(certs)>2 else certs:
+        for cert in certs[:-1] if len(certs)>2 and os.getenv('LETSENCRYPT_SHORTCHAIN', default="False") else certs:
            pem.write(cert)

 # Wait for nginx to start
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -163,6 +163,11 @@ See the `python docs`_ for more information.

 .. _`python docs`: https://docs.python.org/3.6/library/logging.html#logging-levels

+The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send the ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices.
+
+.. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
+
+
 Antivirus settings
 ------------------