From 6e9fc282cfdc404641ebcb123d1cae55266da2d4 Mon Sep 17 00:00:00 2001
From: Lorenzo Zolfanelli <zolfa@lilik.it>
Date: Fri, 24 Mar 2017 18:10:20 +0100
Subject: [PATCH] add chaining intermediat in target crt

---
 roles/nginx/defaults/main.yml      |  2 ++
 roles/nginx/tasks/letsencrypt.yaml | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index e36b5f1..a88a186 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -19,6 +19,8 @@ nginx_separate_logs_per_site: False
 
 letsencrypt_pause: false
 letsencrypt_account_key: "/etc/ssl/private/letsencrypt.key.pem"
+letsencrypt_intermediate_url: "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
+letsencrypt_intermediate_crt: "/etc/ssl/private/intermediatex3.crt"
 letsencrypt_challenge_webroot: "/var/www/html"
 letsencrypt_ssl_country: "IT"
 letsencrypt_ssl_state: "Italy"
diff --git a/roles/nginx/tasks/letsencrypt.yaml b/roles/nginx/tasks/letsencrypt.yaml
index 96cfc7b..6a94317 100644
--- a/roles/nginx/tasks/letsencrypt.yaml
+++ b/roles/nginx/tasks/letsencrypt.yaml
@@ -12,7 +12,7 @@
       -out {{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~".csr") }}
       -subj "/C={{ item.letsencrypt.ssl_country | default(letsencrypt_ssl_country)
       }}/ST={{ item.letsencrypt.ssl_state | default(letsencrypt_ssl_state)
-      }}/L{{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
+      }}/L={{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
       }}/O={{ item.letsencrypt.ssl_org | default(letsencrypt_ssl_org)
       }}/CN={{ item.letsencrypt.ssl_cn | default(item.server.server_name)
       }}/emailAddress={{ item.letsencrypt.ssl_email | default(letsencrypt_ssl_email) }}"
@@ -43,3 +43,13 @@
     acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
     data: "{{ letsencrypt_challenge }}"
   notify: restart nginx
+
+- name: download intermediate cert for chaining
+  get_url:
+    url: "{{ letsencrypt_intermediate_url }}"
+    dest: "{{ letsencrypt_intermediate_crt }}"
+  when: letsencrypt_challenge|changed
+
+- name: chaining intermediate certificate
+  shell: "cat {{ letsencrypt_intermediate_crt }} >> {{ item.server.ssl_certificate }}"
+  when: letsencrypt_challenge|changed