Add CA_BUNDLE environment variable

Allows acme.sh to use an alternative trusted root CA

app/letsencrypt_service

@@ -134,6 +134,16 @@ function update_cert {
     params_base_arr+=(--log /dev/null)
     [[ "$DEBUG" == 1 ]] && params_base_arr+=(--debug 2)
 
+    # Alternative trusted root CA path, used for test with Pebble
+    if [[ -n "${CA_BUNDLE// }" ]]; then
+        if [[ -f "$CA_BUNDLE" ]]; then
+            params_base_arr+=(--ca-bundle "$CA_BUNDLE")
+            [[ "$DEBUG" == 1 ]] && echo "Debug: acme.sh will use $CA_BUNDLE as trusted root CA."
+        else
+            echo "Warning: the path to the alternate CA bundle ($CA_BUNDLE) is not valid, using default Alpine trust store."
+        fi
+    fi
+
     # CLI parameters array used for --register-account
     local -a params_register_arr
 

docs/Container-configuration.md

@@ -22,3 +22,5 @@ You can also create test certificates per container (see [Test certificates](./L
 * `RENEW_PRIVATE_KEYS` - Set it to `false` to make `acme.sh` reuse previously generated private key for each certificate instead of creating a new one on certificate renewal. Reusing private keys can help if you intend to use [HPKP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning), but please note that HPKP has been deprecated by Google's Chrome and that it is therefore strongly discouraged to use it at all.
 
 * `DHPARAM_BITS` - Change the size of the Diffie-Hellman key generated by the container from the default value of 2048 bits. For example `--env DHPARAM_BITS=1024` to support some older clients like Java 6 and 7.
+
+* `CA_BUNDLE` - This is a test only variable [for use with Pebble](https://github.com/letsencrypt/pebble#avoiding-client-https-errors). It changes the trusted root CA used by `acme.sh`, from the default Alpine trust store to the CA bundle file located at the provided path (inside the container). Do **not** use it in production unless you are running your own ACME CA.