From 78009539d1d055660115f3186a35e8520a9e977f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Sodr=C3=A9?= <psodre@gmail.com>
Date: Thu, 25 Aug 2016 01:14:56 -0400
Subject: [PATCH] Add option for a custom ca-bundle file. (#274)

* Add option for a custom ca-bundle file.

* Renamed option cacert to ca-bundle.

* Save CA_BUNDLE path in configuration file.

* Store absolule path to ca-bundle file
---
 acme.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/acme.sh b/acme.sh
index 3da84b25..aa8a43eb 100755
--- a/acme.sh
+++ b/acme.sh
@@ -743,6 +743,10 @@ _inithttp() {
       CURL="$CURL --trace-ascii $_CURL_DUMP "
     fi
 
+    if [ "$CA_BUNDLE" ] ; then
+      CURL="$CURL --cacert $CA_BUNDLE "
+    fi
+
     if [ "$HTTPS_INSECURE" ] ; then
       CURL="$CURL --insecure  "
     fi
@@ -753,6 +757,9 @@ _inithttp() {
     if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
       WGET="$WGET -d "
     fi
+    if [ "$CA_BUNDLE" ] ; then
+      WGET="$WGET --ca-certificate $CA_BUNDLE "
+    fi
     if [ "$HTTPS_INSECURE" ] ; then
       WGET="$WGET --no-check-certificate "
     fi
@@ -2058,6 +2065,12 @@ issue() {
     _savedomainconf  "Le_RenewalDays"   "$Le_RenewalDays"
   fi
   
+  if [ "$CA_BUNDLE" ] ; then
+    _saveaccountconf CA_BUNDLE "$CA_BUNDLE"
+  else
+    _clearaccountconf "CA_BUNDLE"
+  fi
+
   if [ "$HTTPS_INSECURE" ] ; then
     _saveaccountconf HTTPS_INSECURE "$HTTPS_INSECURE"
   else
@@ -2772,6 +2785,7 @@ Parameters:
   --listraw                         Only used for '--list' command, list the certs in raw format.
   --stopRenewOnError, -se           Only valid for '--renewall' command. Stop if one cert has error in renewal.
   --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
+  --ca-bundle                       Specifices the path to the CA certificate bundle to verify api server's certificate.
   --nocron                          Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
   --ecc                             Specifies to use the ECC cert. Valid for '--installcert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
   "
@@ -2846,6 +2860,7 @@ _process() {
   _listraw=""
   _stopRenewOnError=""
   _insecure=""
+  _ca_bundle=""
   _nocron=""
   _ecc=""
   while [ ${#} -gt 0 ] ; do
@@ -3088,6 +3103,11 @@ _process() {
         _insecure="1"
         HTTPS_INSECURE="1"
         ;;
+    --ca-bundle)
+        _ca_bundle=$(readlink -f $2)
+        CA_BUNDLE="$_ca_bundle"
+        shift
+        ;;
     --nocron)
         _nocron="1"
         ;;