From 915f209ea5f8e865f9bd671001627e0ae9f6abec Mon Sep 17 00:00:00 2001
From: aptalca <aptalca@linuxserver.io>
Date: Tue, 12 Oct 2021 10:04:57 -0400
Subject: [PATCH] fix old root detection (staging and acme server)

---
 README.md                      | 1 +
 readme-vars.yml                | 1 +
 root/etc/cont-init.d/50-config | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1fa8570..300ebb0 100644
--- a/README.md
+++ b/README.md
@@ -332,6 +332,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **12.10.21:** - Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking.
 * **06.10.21:** - Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps.
 * **01.10.21:** - Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration
 * **19.09.21:** - Add an optional header to opt out of Google FLoC in `ssl.conf`.
diff --git a/readme-vars.yml b/readme-vars.yml
index b1421a2..6e177dd 100755
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -155,6 +155,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "12.10.21:", desc: "Fix deprecated LE root cert check to fix failures when using `STAGING=true`, and failures in revoking." }
   - { date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps." }
   - { date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration" }
   - { date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`." }
diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config
index 2407b73..0f0621c 100644
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -313,8 +313,9 @@ else
 fi
 
 # Check if the cert is using the old LE root cert, revoke and regen if necessary
-if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+if [ -f "/config/keys/letsencrypt/chain.pem" ] && ([ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]) && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
+    REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
     certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
     rm -rf /config/etc/letsencrypt
     mkdir -p /config/etc/letsencrypt