Add ssl_trusted_certificate directive.

README.md

@@ -48,6 +48,7 @@ And some additional arguments:
 
 ```
   --cert-path (default: /letsencrypt/certs/%s/fullchain.pem) path to the SSL cert.
+  --trusted-cert-path (default: /letsencrypt/certs/%s/chain.pem) path to the CA certs used in SSL stapling.
   --cert-key-path (default: /letsencrypt/certs/%s/privkey.pem) path to the SSL cert's private key.
 ```
 

generate.py

@@ -10,6 +10,7 @@ parser.add_argument('--name', help='Name of the docker host to request certifica
 parser.add_argument('--etcd-port', type=int, help='Port to connect to etcd on', default=2379)
 parser.add_argument('--etcd-host', help='Host to connect to etcd on', default='etcd')
 parser.add_argument('--etcd-prefix', help='Prefix to use when retrieving keys from etcd', default='/docker')
+parser.add_argument('--trusted-cert-path', help='Path to use for trusted CA certificate. Use "%s" for hostname', default='/letsencrypt/certs/%s/chain.pem')
 parser.add_argument('--cert-path', help='Path to use for certificates. Use "%s" for hostname', default='/letsencrypt/certs/%s/fullchain.pem')
 parser.add_argument('--cert-key-path', help='Path to use for certificate private keys. Use "%s" for hostname', default='/letsencrypt/certs/%s/privkey.pem')
 args = parser.parse_args()
@@ -30,6 +31,7 @@ while True:
       'host': next(iter(networks.values())), # TODO: Pick a bridge sensibly?
       'port': values,
       'certificate': args.cert_path % domains[container][0],
+      'trusted_certificate': args.trusted_cert_path % domains[container][0],
       'certificate_key': args.cert_key_path % domains[container][0]
     })
 

nginx.tpl

@@ -5,6 +5,7 @@ server {
     listen 443 ssl http2;
 
     ssl_certificate {{ service.certificate }};
+    ssl_trusted_certificate {{ service.trusted_certificate }};
     ssl_certificate_key {{ service.certificate_key }};
 
     include {{ service.vhosts[0] }}/*.conf;