From 8e2ccee0f2989885632c27c7f33a87719d3838ec Mon Sep 17 00:00:00 2001
From: Rafael dos Santos Silva <xfalcox@gmail.com>
Date: Mon, 25 Oct 2021 14:45:24 -0300
Subject: [PATCH] FIX: Remove expired LE root cert from our local validation

The old root was getting openssl confused, resulting in a new
certificate on every rebuild that could easily trigger existing let's
encrypt rate-limits.
---
 templates/web.letsencrypt.ssl.template.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml
index fcec567..986be02 100644
--- a/templates/web.letsencrypt.ssl.template.yml
+++ b/templates/web.letsencrypt.ssl.template.yml
@@ -63,7 +63,7 @@ hooks:
         }
 
         cert_exists() {
-          [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
+          [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
         }
 
         ########################################################
-- 
2.25.1