Don't handle ACME root certs

They are volatile, and issued certs are already bundled nowadays.
2024-08-04 10:46:47 +02:00 · 2024-08-04 10:46:47 +02:00 · 4392e65f3f
commit 4392e65f3f
parent e40e65bd62
5 changed files with 14 additions and 82 deletions
--- a/src/symbols/acme/cert.rs
+++ b/src/symbols/acme/cert.rs
@ -12,7 +12,6 @@ use std::path::Path;
 pub struct Cert<_C, C, D, P> {
  domain: D,
  command_runner: C,
-  root_cert_path: P,
  account_key_path: P,
  challenges_path: P,
  csr_path: P,
@ -24,7 +23,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> {
  pub fn new(
    domain: D,
    command_runner: C,
-    root_cert_path: P,
    account_key_path: P,
    challenges_path: P,
    csr_path: P,
@ -33,7 +31,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> {
    Self {
      domain,
      command_runner,
-      root_cert_path,
      account_key_path,
      challenges_path,
      csr_path,
@ -84,8 +81,12 @@ impl<_C: CommandRunner, C: Borrow<_C>, D: AsRef<str>, P: AsRef<Path>> Symbol for
            "openssl",
            args![
              "verify",
-              "--untrusted",
-              self.root_cert_path.as_ref(),
+              // Since the cert file includes the intermediate,
+              // this pulls the intermediate into the verification chain
+              // without trusting it
+              "-untrusted",
+              self.cert_path.as_ref(),
+              // Only the first cert in the cert file is verified
              self.cert_path.as_ref(),
            ],
          )